How to make a process invisible to other users?

linux top process-management
22,241

Solution 1

Linux kernel since 3.3 contains support for hiding processes to other users.

It is done by hidepid= and gid= mount options for /proc as described in the corresponding commit and Documentation/filesystems/proc.txt.

Debian Wheezy also includes this feature.

Solution 2

The top command reads the data from proc, which is provided directly from the kernel. In order to hide processes, you'd have to use code inside the kernel to do the masking.

Aside from using a security framework like SELinux and grsecurity (mentioned in the other answers), rootkit-style code is your only remaining option. I say "style" because a "rootkit" by itself isn't bad, it's how it's used. There are perfectly legitimate reasons behind hiding processes from other users, which is why this capability exists in security frameworks.

The basic route you'd have to follow to get this to work is to hook into (or hijack, depending on how you look at it) the function(s) in the linux kernel that hand out the /proc/pid/ data. I demonstrate one method of hooking into linux kernel functions in a security module I wrote:

https://github.com/cormander/tpe-lkm

The "high level" code for this is in the hijack_syscalls() method in security.c, and the devil-in-the-details magic behind it is in the hijacks.c file.

You'll likely find the function(s) you'll want to hook into in the fs/proc/ directory of the source code of the linux kernel. Keep in mind that linux does not provide a stable ABI, so your code will need to change somewhat in order to get it working in different versions of the linux kernel. Also, keep in mind that you need full root access to the machine to be able to insert this code.

UPDATE:

If you wrap the pid_getattr kernel symbol with some additional code to it's real easy to do this. I recently added something that hides processes to the above kernel module:

https://github.com/cormander/tpe-lkm/commit/899bd5d74764af343d5fee1d8058756ddc63bfe3

You could do something similar by making the processes of a certain user or group not viewable by anyone except root and that user. Doing it by process name is a bit more complex, but possible. Have a look at the exe_from_mm() function. Note that there may be performance implications of using it inside of pid_getattr.

Solution 3

It seems the two main options.

  • Selinux works by putting different people into different security domains and in a sense sand-boxing them so they can't see each-others stuff. This is covered in this question. Since selinux is quickly becoming the de-facto security framework in the Linux world this is probably the direction you should look.

  • The other is grsecurity as mentioned by marioosh and as asked in this question. Some distros have alternative kernel packages with grsecurity patches applied. If yours has this you might look into using them.

If for some reason you want to do this without the addition of a security framework like selinux or grsecurity, please explain how what you are doing is not writing a root-kit.

Solution 4

you could override your argv[0] with another name... but strictely speaking, you're looking for some kind of rootkit. this may help you out: http://stupefydeveloper.blogspot.com/2008/10/linux-change-process-name.html

Solution 5

It is not so simple on standard linux box. Look at the grsecurity, but it requires patching kernel etc.

Share:
22,241

Related videos on Youtube

Debugger
Author by

Debugger

Updated on September 18, 2022

Comments

  • Debugger
    Debugger almost 2 years

    How could you launch a process and make it invisible to the top command? The process is started by a normal user (not root), and should not be visible to other normal users.

    • Admin
      Admin almost 13 years
      That kind of defeats the purpose of top and would be far too easy to abuse. Why not simply rename the process? this_is_not_the_process_you_are_looking_for?
    • Admin
      Admin almost 13 years
      i see, what about hiding the user ?
    • tcoolspy
      tcoolspy almost 13 years
      Please tell us you're not trying to write a root-kit. Can you explain your scenario so that perhaps we can suggest a better security architecture instead of one that is generally considered "evil" behavior?
    • Gilles 'SO- stop being evil'
      Gilles 'SO- stop being evil' almost 13 years
      You can use grsecurity or SELinux. Both require root intervention for the initial setup.
  • Kedar Vaidya
    Kedar Vaidya almost 13 years
    I think this comes standard with an selinux kernel.
  • Alex Miller
    Alex Miller almost 13 years
    Replacing 'top' doesn't stop a user from doing what top does.
  • LawrenceC
    LawrenceC almost 13 years
    No, but the question asked how to make processes invisible to the top command.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is a command to find priority of process in Linux?
How to interpret busybox "top" output?
Top says 100% CPU used, but 50% of cores idle?
How to install top & htop on Ubuntu 8.04.2 LTS (hardy)
How to know how long a process has been running?
average load and total %CPU in top
memory usage linux in top is not correct
If "top" indicates CPU is spending 10% on %wa (iowait), does that mean the CPU is idle?
Memory percentage in top (linux)
ps and top give different CPU usage