> I have succeeded in getting a program to hide itself from a 'ps -ax'
> listing simply by zeroing out the argument table.
I doubt it. BTW, 'ps -ax' is incorrect usage.
> I think this is a potential security problem as someone might easily
> misuse this to hide a 'malicious' program, and you would not be able to
> identify it so easily using ps.
It doesn't look hidden to me:
0 albert$ ps -u luser -U luser
PID TTY TIME CMD
4095 ttypc 00:00:00 su
4096 ttypc 00:00:00 bash
12097 ttypc 00:32:45 netscape-commun
12107 ttypc 00:00:01 netscape-commun
13089 ttypc 00:16:11 hide
That last one is your program. Try it. Even when using the less-powerful
BSD syntax and default format, I see a suspicious process with no name:
0 albert$ ps U luser
PID TTY STAT TIME COMMAND
4095 ttypc SW 0:00 [su]
4096 ttypc S 0:00 -bash
12097 ttypc S 32:46 /usr/lib/netscape/netscape-communicator
12107 ttypc S 0:01 [netscape-commun]
13089 ttypc R 17:43
Then beating a dead GNU:
0 albert$ ps --user luser --User luser --format
pid,euser,ruser,fname,comm,args
PID EUSER RUSER COMMAND COMMAND COMMAND
4095 luser luser su su [su]
4096 luser luser bash bash -bash
12097 luser luser netscape netscape-commun
/usr/lib/netscape/netscape-com
12107 luser luser netscape netscape-commun [netscape-commun]
13089 luser luser hide hide
> As a follow-up, it seems it is a stupidity on the part of ps (I will send
> a report to the ps mantainer shortly) in that ps trusts /proc/pid/cmdline,
> ignoring the string in /proc/pid/stat (which is _not_ zeroed).
Use of the string in /proc/pid/stat would be incorrect in many cases.
The empty space is correct output.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/