grsecurity forums

[tomalok]

kernel 2.4.20, grsecurity 1.9.9d (lots of address space protection, no acl, filesystem protections (proc user vs. group or with/without additional restrictions doesn't seem to matter), sysctl support)...

apparently, root can't see command line options via ps, (and can't strace either) which is a bit disconcerting... i kind of like to see what users may be up to... commands in ps are enclosed via []...

is there a way to turn this feature off for the root user?

[spender]

The processes in [] is due to the ptrace patch included in 1.9.9d. Since the same patch has been submitted for inclusion in 2.4.21-pre6, it will be the same way in 2.4.21. As for not being able to see command lines of non-root processes, it's not related to grsecurity. Maybe you could paste the output of ls -al on /proc. It could be another effect of the ptrace patch.

-Brad

[tomalok]

i can confirm that this behavior is also happening in a ptrace-patched 2.4.20 kernel (without grsecurity)... so, it's not a problem with grsecurity then.

the ptrace patch seems to have inadvertently opened up a new possibility for those who want to "discreetly" run things from their account... all they have to do is rename the binary to something that won't draw suspicion, and set it running. they don't even have to worry about matching the command line options, and we'll never be able to ptrace it to see what they're up to...