Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!caen!uwm.edu!bionet!agate!usenet.ins.cwru.edu!ncoast!allbery
From: allbery@NCoast.ORG (Brandon S. Allbery KB8JRR/AA)
Newsgroups: comp.unix.wizards
Subject: Re: Is it possible to hide process args from 'ps -ef'?? (Recap)
Message-ID: <1991Apr20.174927.21082@NCoast.ORG>
Date: 20 Apr 91 17:49:27 GMT
References: <1414@compel.UUCP> <1991Apr17.222700.4586@swsrv1.cirr.com> <1429@compel.UUCP>
Reply-To: allbery@ncoast.ORG (Brandon S. Allbery KB8JRR/AA)
Followup-To: comp.unix.wizards
Organization: North Coast Public Access Un*x (ncoast)
Lines: 37

As quoted from <1429@compel.UUCP> by her@compel.UUCP (Helge Egelund Rasmussen):
+---------------
| >>Is it possible to hide the arguments, so that they won't show up in
| >>the 'ps' output (possibly by 'exec'ing sqlplus in some devious way :-)??
| 
| I received a lot of replies for this question (Thanx to all!!), and the main 
| result (until now) is that it isn't really possible (at least not in the 
| general case).
| 
| The best ones so far is:
|   1: exec the program with a very long argument ie.
| 	"<fullpath>//////////////////////////sqlplus scott/tiger"
|      
|      The idea of this is presumably, that ps only will show the first n 
|      characters of the argument list.
| 
|   2: Modify the argv[] list in the exec'ed program after startup.
|      This will ofcourse be a problem with sqlplus, but might work with
|      'runform' (using a user exit) or "home made" applications.
+---------------

Not under Interactive or any other V.3 --- rather than having programs grunge
through process data space to find the arguments, the first PSARGSZ (80)
characters of the command line are written to u.u_psargs with '\0' changed to
a space.  The first variant will work, though.

Yes, programs can chase your process VM to find the argv information... but
this requires root access (unless you have general read on /dev/mem and
/dev/swap, in which case you've got worse security problems than this to
contend with!).

++Brandon
-- 
Me: Brandon S. Allbery			  Ham: KB8JRR/AA on 2m, 220, 440, 1200
Internet: allbery@NCoast.ORG		(QRT on HF until local problems fixed)
America OnLine: KB8JRR // Delphi: ALLBERY   AMPR: kb8jrr.AmPR.ORG [44.70.4.88]
uunet!usenet.ins.cwru.edu!ncoast!allbery          KB8JRR @ WA8BXN.OH