Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!magnus.acs.ohio-state.edu!csn!ccncsu!purdue!news.cs.indiana.edu!att!princeton!phoenix.Princeton.EDU!subbarao!Kartik
From: subbarao@phoenix.Princeton.EDU (Kartik Subbarao)
Newsgroups: comp.unix.wizards
Subject: Re: Is it possible to hide process args from 'ps -ef'?? (Recap)
Message-ID: <z51304@idunno.Princeton.EDU>
Date: 19 Apr 91 12:34:47 GMT
References: <1414@compel.UUCP> <1991Apr17.222700.4586@swsrv1.cirr.com> <1429@compel.UUCP>
Sender: news@idunno.Princeton.EDU
Reply-To: subbarao@phoenix (Kartik Subbarao)
Lines: 38

In article <1429@compel.UUCP> her@compel.UUCP (Helge Egelund Rasmussen) writes:
>>>Is it possible to hide the arguments, so that they won't show up in
>>>the 'ps' output (possibly by 'exec'ing sqlplus in some devious way :-)??
>
>  2: Modify the argv[] list in the exec'ed program after startup.
>     This will ofcourse be a problem with sqlplus, but might work with
>     'runform' (using a user exit) or "home made" applications.
>
>My questions are now: 
>  Will 1 above work? Even if ps won't show the arguments, it might be possible
>  to write a program which can read the argument list from memory. Is this 
>  possible? If it is, then this method isn't really safe.

No, the "ww" argument to ps will cause ps to not stop once it has reached
the max number of columns. You may want to pipe the output through fold.

Since only programs with access to /dev/kmem can get to where the argument
vector's stored, if ps didnt have such an option, the option of making a
big argv0 might be a viable solution. But, ps does have such an option.

>  The problem with method 2 above is, as far as I can see, that it wouldn't
>  be really safe because of race conditions. Ie. sometimes a user might have 
>  time to execute a PS in the time after the exec, and before the application
>  have had time to destroy the argv structure. Is this correct?

Yes. This "problem" is documented in the man page for crypt(1). Crypt also
clobbers its argv array once it's read it in, but its possible to do a ps
just before it manages to do this and find it out. 

			-Kartik


--
internet# rm `df | tail +2 | awk '{ printf "%s/quotas\n",$6}'`

subbarao@phoenix.Princeton.EDU -| Internet
kartik@silvertone.Princeton.EDU (NeXT mail)  
SUBBARAO@PUCC.BITNET			          - Bitnet