hubertf's NetBSD Blog
Send interesting links to hubert at feyrer dot de!
 
[20100605] Hiding other users' processes
Thus it was asked on #NetBSD:
<batence> I wanna set the top command work only for users process, not
                for all system
<batence> in freebsd command is sysctl security.bsd.see_other_uids=0/1
<batence> but I dunno for netbsd
<batence> eg I don't want users see other uids
<batence> only which they owned
Looking at the output of "sysctl -a" didn'r show anything obvious, but recalling the topic and with some digging, there actually is a sysctl switch for that in NetBSD: security.models.bsd44.curtain=1

Here's an example top(1) output with the default setting (0). My username is "feyrer", note that besides my processes, other users' processes are shown as well:

    load averages:  0.02,  0.01,  0.00;               up 11+15:08:30                           18:38:56
    24 processes: 23 sleeping, 1 on CPU
    CPU states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
    Memory: 71M Act, 51M Inact, 552K Wired, 5560K Exec, 110M File, 27M Free
    Swap: 512M Total, 335M Used, 178M Free
    
      PID USERNAME PRI NICE   SIZE   RES STATE      TIME   WCPU    CPU COMMAND
        0 root     126    0     0K   16M pgdaemon   5:41  0.00%  0.00% [system]
      492 root      85    0  4792K  608K kqueue     0:06  0.00%  0.00% master
      113 root      85    0  2908K  860K select     0:05  0.00%  0.00% dhclient
      535 root      85    0  2900K  556K nanoslp    0:05  0.00%  0.00% cron
      155 root      85    0  2932K  548K kqueue     0:05  0.00%  0.00% syslogd
      496 postfix   85    0  4792K  888K kqueue     0:01  0.00%  0.00% qmgr
     4409 feyrer    43    0  2984K 1240K CPU        0:00  0.00%  0.00% top
     1197 root      85    0  8640K 3692K netio      0:00  0.00%  0.00% sshd
    24830 root      85    0  8640K 3692K netio      0:00  0.00%  0.00% sshd
     6949 feyrer    85    0  8640K 2828K select     0:00  0.00%  0.00% sshd
    28093 feyrer    85    0  8640K 2828K select     0:00  0.00%  0.00% sshd
    12391 feyrer    85    0  2132K 1876K pause      0:00  0.00%  0.00% tcsh
    25579 feyrer    85    0  2132K 1876K pause      0:00  0.00%  0.00% tcsh
     5773 postfix   85    0  4792K 1868K kqueue     0:00  0.00%  0.00% pickup
     1929 root      85    0  2128K 1828K ttyraw     0:00  0.00%  0.00% tcsh
    29212 root      85    0  2972K 1164K kqueue     0:00  0.00%  0.00% inetd
    25972 root      85    0  2824K 1076K pause      0:00  0.00%  0.00% ksh 
Likewise, I see a number of processes in ps(1):
% ps -aux | wc -l
      26
Now let's change the sysctl:
# sysctl -d security.models.bsd44.curtain
security.models.bsd44.curtain: Curtain information about objects to users not owning them.
# sysctl -w security.models.bsd44.curtain=1
security.models.bsd44.curtain: 0 -> 1
After this, the top(1) output looks like this:
    load averages:  0.02,  0.01,  0.00;               up 11+15:08:45                           18:39:11
    5 processes: 4 sleeping, 1 on CPU
    CPU states:  0.0% user,  0.0% nice,  0.2% system,  0.0% interrupt, 99.8% idle
    Memory: 71M Act, 51M Inact, 552K Wired, 5416K Exec, 110M File, 28M Free
    Swap: 512M Total, 335M Used, 178M Free
    
      PID USERNAME PRI NICE   SIZE   RES STATE      TIME   WCPU    CPU COMMAND
     4409 feyrer    43    0  2984K 1240K CPU        0:00  0.00%  0.00% top
    28093 feyrer    85    0  8640K 2828K select     0:00  0.00%  0.00% sshd
     6949 feyrer    85    0  8640K 2828K select     0:00  0.00%  0.00% sshd
    12391 feyrer    85    0  2132K 1876K pause      0:00  0.00%  0.00% tcsh
    25579 feyrer    85    0  2132K 1876K pause      0:00  0.00%  0.00% tcsh 
This reduced set of processes is also shown in ps(1):
% ps -aux | wc -l
       7
In other words, only my processes are displayed. (If you wonder about the difference between the 7 processes shown in top and the seven ps(1)-lines: the latter includes a heading).

Note that this "filtering" does not apply to the root user, i.e. he can still see all processes.

[Tags: , , , , ]


Tags: , 2bsd, 34c3, 3com, 501c3, 64bit, acl, acls, acm, acorn, acpi, acpitz, adobe, adsense, Advocacy, advocacy, advogato, aes, afs, aiglx, aio, airport, alereon, alex, alix, alpha, altq, am64t, amazon, amd64, anatomy, ansible, apache, apm, apple, arkeia, arla, arm, art, Article, Articles, ascii, asiabsdcon, aslr, asterisk, asus, atf, ath, atheros, atmel, audio, audiocodes, autoconf, avocent, avr32, aws, axigen, azure, backup, balloon, banners, basename, bash, bc, beaglebone, benchmark, bigip, bind, blackmouse, bldgblog, blog, blogs, blosxom, bluetooth, board, bonjour, books, boot, boot-z, bootprops, bozohttpd, bs2000, bsd, bsdca, bsdcan, bsdcertification, bsdcg, bsdforen, bsdfreak, bsdmac, bsdmagazine, bsdnexus, bsdnow, bsdstats, bsdtalk, bsdtracker, bug, build.sh, busybox, buttons, bzip, c-jump, c99, cafepress, calendar, callweaver, camera, can, candy, capabilities, card, carp, cars, cauldron, ccc, ccd, cd, cddl, cdrom, cdrtools, cebit, centrino, cephes, cert, certification, cfs, cgd, cgf, checkpointing, china, christos, cisco, cloud, clt, cobalt, coccinelle, codian, colossus, common-criteria, community, compat, compiz, compsci, concept04, config, console, contest, copyright, core, cortina, coverity, cpu, cradlepoint, cray, crosscompile, crunchgen, cryptography, csh, cu, cuneiform, curses, curtain, cuwin, cvs, cvs-digest, cvsup, cygwin, daemon, daemonforums, daimer, danger, darwin, data, date, dd, debian, debugging, dell, desktop, devd, devfs, devotionalia, df, dfd_keeper, dhcp, dhcpcd, dhcpd, dhs, diezeit, digest, digests, dilbert, dirhash, disklabel, distcc, dmesg, Docs, Documentation, donations, draco, dracopkg, dragonflybsd, dreamcast, dri, driver, drivers, drm, dsl, dst, dtrace, dvb, ec2, eclipse, eeepc, eeepca, ehci, ehsm, eifel, elf, em64t, Embedded, embedded, emips, emulate, encoding, envsys, eol, espresso, etcupdate, etherip, euca2ools, eucalyptus, eurobsdcon, eurosys, Events, exascale, ext3, f5, facebook, falken, fan, faq, fatbinary, features, fefe, ffs, filesystem, fileysstem, firefox, firewire, fireworks, flag, flash, flashsucks, flickr, flyer, fmslabs, force10, fortunes, fosdem, fpga, freebsd, freedarwin, freescale, freex, freshbsd, friendlyAam, friendlyarm, fritzbox, froscamp, fsck, fss, fstat, ftp, ftpd, fujitsu, fun, fundraising, funds, funny, fuse, fusion, g4u, g5, galaxy, games, gcc, gdb, gentoo, geode, getty, gimstix, git, gnome, google, google-soc, googlecomputeengine, gpio, gpl, gprs, gracetech, gre, groff, groupwise, growfs, grub, gumstix, guug, gzip, hackathon, hackbench, hal, hanoi, happabsd, Hardware, hardware, haze, hdaudio, heat, heimdal, hf6to4, hfblog, hfs, history, hosting, hotplug, hp, hp700, hpcarm, hpcsh, hpux, html, httpd, hubertf, hurd, i18n, i386, i386pkg, ia64, ian, ibm, ids, ieee, ifwatchd, igd, iij, image, images, imx233, imx7, information, init, initrd, install, intel, interix, internet2, interview, interviews, io, ioccc, iostat, ipbt, ipfilter, ipmi, ipplug, ipsec, ipv6, irbsd, irc, irix, iscsi, isdn, iso, isp, itojun, jail, jails, japanese, java, javascript, jetson, jibbed, jihbed, jobs, jokes, journaling, kame, kauth, kde, kerberos, kergis, kernel, keyboardcolemak, kirkwood, kitt, kmod, kolab, kvm, kylin, l10n, landisk, laptop, laptops, law, ld.so, ldap, lehmanns, lenovo, lfs, libc, license, licensing, linkedin, links, linksys, linux, linuxtag, live-cd, lkm, localtime, locate.updatedb, logfile, logging, logo, logos, lom, lte, lvm, m68k, macmini, macppc, macromedia, magicmouse, mahesha, mail, makefs, malo, mame, manpages, marvell, matlab, maus, max3232, mbr95, mbuf, mca, mdns, mediant, mediapack, meetbsd, mercedesbenz, mercurial, mesh, meshcube, mfs, mhonarc, microkernel, microsoft, midi, mini2440, miniroot, minix, mips, mirbsd, missile, mit, mixer, mobile-ip, modula3, modules, money, mouse, mp3, mpls, mprotect, mtftp, mult, multics, multilib, multimedia, music, mysql, named, nas, nasa, nat, ncode, ncq, ndis, nec, nemo, neo1973, netbook, netboot, netbsd, netbsd.se, nethack, nethence, netksb, netstat, netwalker, networking, neutrino, nforce, nfs, nis, npf, npwr, nroff, nslu2, nspluginwrapper, ntfs-3f, ntp, nullfs, numa, nvi, nvidia, nycbsdcon, office, ofppc, ohloh, olimex, olinuxino, olpc, onetbsd, openat, openbgpd, openblocks, openbsd, opencrypto, opendarwin, opengrok, openmoko, openoffice, openpam, openrisk, opensolaris, openssl, or1k, oracle, oreilly, oscon, osf1, osjb, paas, packages, pad, pae, pam, pan, panasonic, parallels, pascal, patch, patents, pax, paypal, pc532, pc98, pcc, pci, pdf, pegasos, penguin, performance, pexpect, pf, pfsync, pgx32, php, pie, pike, pinderkent, pkg_install, pkg_select, pkgin, pkglint, pkgmanager, pkgsrc, pkgsrc.se, pkgsrcCon, pkgsrccon, Platforms, plathome, pleiades, pocketsan, podcast, pofacs, politics, polls, polybsd, portability, posix, postinstall, power3, powernow, powerpc, powerpf, pppoe, precedence, preemption, prep, presentations, prezi, products, Products, proplib, protectdrive, proxy, ps, ps3, psp, psrset, pthread, ptp, ptyfs, Publications, puffs, puredarwin, pxe, qemu, qnx, qos, qt, quality-management, quine, quote, quotes, r-project, ra5370, radio, radiotap, raid, raidframe, rants, raptor, raq, raspberrypi, rc.d, readahead, realtime, record, refuse, reiserfs, Release, Releases, releases, releng, reports, resize, restore, ricoh, rijndael, rip, riscos, rng, roadmap, robopkg, robot, robots, roff, rootserver, rotfl, rox, rs323, rs6k, rss, ruby, rump, rzip, sa, safenet, san, sata, savin, sbsd, scampi, scheduler, scheduling, schmonz, sco, screen, script, sdf, sdtemp, secmodel, Security, security, sed, segvguard, seil, sendmail, serial, serveraptor, sfu, sge, sgi, sgimips, sh, sha2, shark, sharp, shisa, shutdown, sidekick, size, slackware, slashdot, slides, slit, smbus, smp, sockstat, soekris, softdep, softlayer, software, solaris, sony, sound, source, source-changes, spanish, sparc, sparc64, spider, spreadshirt, spz, squid, ssh, sshfs, ssp, statistics, stereostream, stickers, storage, stty, studybsd, subfile, sudbury, sudo, summit, sun, sun2, sun3, sunfire, sunpci, support, sus, suse, sushi, susv3, svn, swcrypto, symlinks, sysbench, sysctl, sysinst, sysjail, syslog, syspkg, systat, systrace, sysupdate, t-shirt, tabs, talks, tanenbaum, tape, tcp, tcp/ip, tcpdrop, tcpmux, tcsh, teamasa, tegra, teredo, termcap, terminfo, testdrive, testing, tetris, tex, TeXlive, thecus, theopengroup, thin-client, thinkgeek, thorpej, threads, time, time_t, timecounters, tip, tk1, tme, tmp, tmpfs, tnf, toaster, todo, toolchain, top, torvalds, toshiba, touchpanel, training, translation, tso, tty, ttyrec, tulip, tun, tuning, uboot, ucom, udf, ufs, ukfs, ums, unetbootin, unicos, unix, updating, upnp, uptime, usb, usenix, useradd, userconf, userfriendly, usermode, usl, utc, utf8, uucp, uvc, uvm, valgrind, vax, vcfe, vcr, veriexec, vesa, video, videos, virtex, virtualization, vm, vmware, vnd, vobb, voip, voltalinux, vpn, vpnc, vulab, w-zero3, wallpaper, wapbl, wargames, wasabi, webcam, webfwlog, wedges, wgt624v3, wiki, willcom, wimax, window, windows, winmodem, wireless, wizd, wlan, wordle, wpa, wscons, wstablet, X, x.org, x11, x2apic, xbox, xcast, Xen, xen, xfree, xfs, xgalaxy, xilinx, xkcd, xlockmore, xmms, xmp, xorg, xscale, youos, youtube, zaurus, zdump, zfs, zlib

'nuff. Grab the RSS-feed, index, or go back to my regular NetBSD page

Disclaimer: All opinion expressed here is purely my own. No responsibility is taken for anything.

Access count: 34935703
Copyright (c) Hubert Feyrer