Is it possible to hide process args from 'ps -ef'?? (Recap)
Kartik Subbarao
subbarao at phoenix.Princeton.EDU
Fri Apr 19 22:34:47 AEST 1991
In article <1429 at compel.UUCP> her at compel.UUCP (Helge Egelund Rasmussen) writes:
>>>Is it possible to hide the arguments, so that they won't show up in
>>>the 'ps' output (possibly by 'exec'ing sqlplus in some devious way :-)??
>
> 2: Modify the argv[] list in the exec'ed program after startup.
> This will ofcourse be a problem with sqlplus, but might work with
> 'runform' (using a user exit) or "home made" applications.
>
>My questions are now:
> Will 1 above work? Even if ps won't show the arguments, it might be possible
> to write a program which can read the argument list from memory. Is this
> possible? If it is, then this method isn't really safe.
No, the "ww" argument to ps will cause ps to not stop once it has reached
the max number of columns. You may want to pipe the output through fold.
Since only programs with access to /dev/kmem can get to where the argument
vector's stored, if ps didnt have such an option, the option of making a
big argv0 might be a viable solution. But, ps does have such an option.
> The problem with method 2 above is, as far as I can see, that it wouldn't
> be really safe because of race conditions. Ie. sometimes a user might have
> time to execute a PS in the time after the exec, and before the application
> have had time to destroy the argv structure. Is this correct?
Yes. This "problem" is documented in the man page for crypt(1). Crypt also
clobbers its argv array once it's read it in, but its possible to do a ps
just before it manages to do this and find it out.
-Kartik
--
internet# rm `df | tail +2 | awk '{ printf "%s/quotas\n",$6}'`
subbarao at phoenix.Princeton.EDU -| Internet
kartik at silvertone.Princeton.EDU (NeXT mail)
SUBBARAO at PUCC.BITNET - Bitnet
More information about the Comp.unix.wizards
mailing list