FreeBSD Prevent Users From Seeing Information About Processes Owned by Other Users

last updated June 3, 2009 in FreeBSD, Networking, Security

Many commands accepts username and passwords on the command line and ps, top, sockstat and many commands can display this information to all users on the system. How do I prevent users from seeing information about processes that are being run under another UID to avoid information leakage under FreeBSD operating systems?

FreeBSD has inbuilt security measure to disallow users to see processes run by other users (UID) to avoid information leakage (snooping). The MIB security.bsd.see_other_uids and security.bsd.see_other_gids needs to set to zero (0) to enable this security feature via sysctl. Type the following command to enable this feature on boot:
# echo 'security.bsd.see_other_uids=0' >> /etc/sysctl.conf # echo 'security.bsd.see_other_gids=0' >> /etc/sysctl.conf
Type the following to turn it on immediately, enter:
# sysctl security.bsd.see_other_uids=0 # sysctl security.bsd.see_other_gids=0
Now normal users cannot see what other people or groups are running on the system. This also applies to all jailed systems.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

9 comment

Shoaibi says:
May 26, 2009 at 10:51 am
Great.. I use FreeBSD server at my office and was looking for something like this.
Tapas Mallick says:
May 26, 2009 at 10:56 am
is it possible to implement same feature in RHEL/CentOS ?
Mike says:
May 26, 2009 at 11:03 am
ItÂ´s not a BSD only feature. You will find the same feature in Caos Linux.
Tapas Mallick says:
May 26, 2009 at 12:34 pm
Will you please let me know exact procedure/web link to get the information..Thanks in Advance.
nixCraft says:
May 26, 2009 at 12:48 pm
It is not part of standard Linux kernel. You need GRSecurity patch for Linux kernel (which is included with Caos Linux). Go to http://www.grsecurity.net/ and download patch. You need to recompile the kernel. Alternatively, downloaded prebuilt rpms for CentOS / RHEL below:
http://rpm.cormander.com/repo/grsec/
Tapas Mallick says:
May 28, 2009 at 4:00 am
Hi Vivek,
I have downloaded latest .rpm and installed the same on my test CentOS 5.3(i386) system. Will you please let me me what to do next to get the expected functionality ? Thanks.
warren says:
June 3, 2009 at 12:43 pm
This should be saying:
# echo ‘security.bsd.see_other_uids=0’ >> /etc/sysctl.conf
# echo ‘security.bsd.see_other_gids=0’ >> /etc/sysctl.conf
and not /etc/rc.conf
nixCraft says:
June 3, 2009 at 2:40 pm
@ warren
Thanks for the heads-up!
kapil says:
June 29, 2011 at 4:41 am
can you plz let me know how to make this configuration in Redhat Linux 5.

Have a question? Post it on our forum!

Tagged as: /etc/sysctl.conf, FreeBSD security.bsd.see_other_uids, FreeBSD security.bsd.see_other_gids, information leakage, operating systems, security feature, security.bsd.see_other_gids, security.bsd.see_other_uids, sysctl command, uid