Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84; site codas.UUCP
Path: utzoo!watmath!clyde!bonnie!akgua!akguc!codas!mikel
From: mikel@codas.UUCP (Mikel Manitius)
Newsgroups: net.unix-wizards
Subject: Re: user invisibility (Cloaking)
Message-ID: <141@codas.UUCP>
Date: Thu, 3-Oct-85 22:12:32 EDT
Article-I.D.: codas.141
Posted: Thu Oct  3 22:12:32 1985
Date-Received: Mon, 7-Oct-85 03:55:55 EDT
References: <1747@brl-tgr.ARPA>
Organization: AT&T Information Systems (SDSS) - Orlando
Lines: 37

> 
>     How to cloak oneself depends on your goal.	If you merely want
> anonymity, login as root.  If you wish to be invisible, try naming
> your shell "getty".

There are several ways one might cloak oneself, logging in as another user
is cheating. If you run 4.Xbsd, then try makeing your enviornemnt take up
more than 4k, (ie: set many variables to X's to ocupy that space), this will
cause ps and w, to cloak your command arguments, w will only show the name
of the process, and ps will show it surrounded by ()'s (i.e: " (mail)",
including the extra space), also note that if the program changes argv[0],
this will have no effect, the name of the command shown is derrived from
the name of file which is being executed.

Another way is if your administrator has left /etc/utmp mode 666, just
write a little program that finds your utmp entry, and either changes
it, or removes it completely.

I once hacked out a version of ps(1) that checked to see of /tmp/.FILE
existed, and replaced /usr/bin/ps with it (I was nasty at school), if
the file did exist, none of my processes would be shown to other users.

Another form of cloaking... If you have access to /dev/kmem, get the
source for the 4.1BSD version of renice(1), change it to look up the
user ID instead of the priority, and change it to someting. apparently,
this UID is not used for permissions, but rather for terminal information.
Thusly, a process can have UID 0, EUID 100, and be shown to the world as
being executed by a user who has UID 200.

Note that things described above have only been tested on 4.1bsd.
-- 
                                        =======
     Mikel Manitius                   ==----=====    AT&T
     ...!{ihnp4!}codas!mikel         ==------=====   Information Systems 
     (305) 869-2462                  ===----======   SDSS Regional Support
     AT&T-IS ETN: 755                 ===========    Altamonte Springs, FL
     My opinions are my own.            =======