Re: How to prevent users form seeing other user processes with loginctl/systemctl ?

Mantas Mikulėnas <grawity@xxxxxxxxx> · Sun, 4 Jun 2023 17:00:05 +0300



Assuming you already have "hidepid" configured for /proc, you'll still need to block access to the corresponding systemd D-Bus call:
$ cat /etc/dbus-1/system.d/systemd-restrict.conf

<?xml version="1.0"?>
<busconfig>
        <policy user="root">
                <allow send_destination="org.freedesktop.systemd1"
                        send_interface="org.freedesktop.systemd1.Manager"
                        send_member="GetUnitProcesses"/>
        </policy>

        <policy group="proc">
                <allow send_destination="org.freedesktop.systemd1"
                        send_interface="org.freedesktop.systemd1.Manager"
                        send_member="GetUnitProcesses"/>
        </policy>

        <policy context="default">
                <deny send_destination="org.freedesktop.systemd1"
                        send_interface="org.freedesktop.systemd1.Manager"
                        send_member="GetUnitProcesses"/>
        </policy>
</busconfig>


On Sun, Jun 4, 2023, 12:50 antisimus <antisimus@xxxxxxxxx> wrote:
Hello,
Is there a way to hide process information (pids, command line) and prevent one user accessing other user processes information. 

On a shared system this can be a potential security risk and I really do not like idea users inspecting each other's running processes.  
Here I have user bob accessing user alice process info but same can be done even to inspect root users processes 

systemd 247 (247.3-7+deb11u2)
Linux systemd-vps 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux

bob@systemd-vps:~$ loginctl user-status alice
alice (1002)
           Since: Sun 2023-06-04 08:37:18 UTC; 2min 39s ago
           State: active
        Sessions: *7
          Linger: no
            Unit: user-1002.slice
                  ├─session-7.scope
                  │ ├─1025 sshd: alice [priv]
                  │ ├─1046 sshd: alice@pts/1
                  │ ├─1047 -bash
                  │ ├─1305 bash myapp.sh
                  │ └─1306 sleep 5
                  └─user@1002.service
                    └─init.scope
                      ├─1028 /lib/systemd/systemd --user
                      └─1029 (sd-pam)


 bob@systemd-vps:~$ loginctl user-status root
root (0)
           Since: Sun 2023-06-04 09:43:03 UTC; 3min 45s ago
           State: active
        Sessions: 5 *1
          Linger: no
            Unit: user-0.slice
                  ├─session-1.scope
                  │ ├─740 sshd: root@pts/0
                  │ ├─765 -bash
                  │ ├─769 su - bob
                  │ ├─770 -bash
                  │ ├─877 loginctl user-status root
                  │ └─878 less
                  ├─session-5.scope
                  │ ├─820 sshd: root@pts/2
                  │ ├─826 -bash
                  │ └─872 sleep 100
                  └─user@0.service
                    └─init.scope
                      ├─747 /lib/systemd/systemd --user
                      └─748 (sd-pam)


Best regards,
Ante