Linux

top 僅顯示目前使用者程序

  • August 8, 2018

最近有一個執行 CentOS 6.7 的專用伺服器,我們執行了更新並註意到 top 只顯示目前使用者的程序。

[myuser@server2 ~]$ top -b -n1 
top - 20:19:20 up 1 day, 10:09,  3 users,  load average: 0.80, 0.50, 0.41
Tasks:  11 total,   1 running,  10 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.2%us,  0.0%sy,  0.0%ni, 99.8%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:  32880988k total, 26893324k used,  5987664k free,   140872k buffers
Swap:  1046520k total,        0k used,  1046520k free, 19532120k cached

 PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND               
1648 myuser  20   0 98.8m 1020  688 S  0.0  0.0   0:00.00 man                   
1651 myuser  20   0  103m 1184 1016 S  0.0  0.0   0:00.00 sh                    
1652 myuser  20   0  103m  684  500 S  0.0  0.0   0:00.00 sh                    
1656 myuser  20   0  103m  912  752 S  0.0  0.0   0:00.07 less                  
3363 myuser  20   0  100m 1708  700 S  0.0  0.0   0:00.04 sshd                  
3364 myuser  20   0  105m 1916 1524 S  0.0  0.0   0:00.00 bash                  
8337 myuser  20   0 14940 1096  880 R  0.0  0.0   0:00.00 top                   
30429 myuser  20   0  100m 1696  696 S  0.0  0.0   0:00.16 sshd                  
30430 myuser  20   0  105m 1924 1536 S  0.0  0.0   0:00.01 bash                  
31132 myuser  20   0  100m 1692  692 S  0.0  0.0   0:00.05 sshd                  
31133 myuser  20   0  105m 1928 1536 S  0.0  0.0   0:00.04 bash            

但是,當使用 sudo 執行時,我得到了我期望的正常輸出

[myuser@server2 ~]$ sudo top -bn1
top - 20:22:08 up 1 day, 10:12,  3 users,  load average: 0.36, 0.40, 0.39
Tasks: 166 total,   1 running, 165 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.2%us,  0.0%sy,  0.0%ni, 99.8%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:  32880988k total, 26898188k used,  5982800k free,   141196k buffers
Swap:  1046520k total,        0k used,  1046520k free, 19532188k cached

 PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND               
32705 otherusr  20   0 21.9g 5.8g  15m S 39.8 18.3  28:47.76 java                  
   1 root      20   0 19280 1524 1232 S  0.0  0.0   0:00.76 init                  
   2 root      20   0     0    0    0 S  0.0  0.0   0:00.00 kthreadd              
   3 root      20   0     0    0    0 S  0.0  0.0   0:00.40 ksoftirqd/0           
   5 root       0 -20     0    0    0 S  0.0  0.0   0:00.00 kworker/0:0H          
   6 root      20   0     0    0    0 S  0.0  0.0   0:03.20 kworker/u16:0  
~~~~~omitted~~~~~

我嘗試過不以批處理模式執行 top 並使用“u”和“U”並將其留空並按下

$$ enter $$,沒有運氣。 我很確定我正在執行實際的頂部,使用絕對路徑啟動沒有任何影響。

$ which top
/usr/bin/top
$ file /usr/bin/top
/usr/bin/top: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
$ alias
alias l.='ls -d .* --color=auto'
alias ll='ls -l --color=auto'
alias ls='ls --color=auto'
alias vi='vim'
alias which='alias | /usr/bin/which --tty-only --read-alias --show-dot --show-tilde'

/etc/ 中沒有 toprc

$ ls -a /etc | grep -c toprc
0

proc安裝如下

$ sudo cat /proc/mounts | grep proc
none /proc proc rw,relatime 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0
$ sudo cat /etc/fstab | grep proc
proc        /proc   proc    defaults        0   0

有關 Procs 的更多詳細資訊

[myuser@server2 ~]$ sudo -u otherusr ps -A
 PID TTY          TIME CMD
21921 pts/0    00:00:00 ps
32703 ?        00:00:00 screen
32705 pts/3    01:08:01 java
[myuser@server2 ~]$ sudo ls -l /proc/ | grep 32705
dr-xr-x---  7 otherusr root     0 Sep 23 19:27 32705
[myuser@server2 ~]$ sudo ls -l /proc/32705/ | grep stat
-r--------  1 otherusr root 0 Sep 23 21:54 mountstats
-r--r--r--  1 otherusr root 0 Sep 23 19:27 stat
-r--r--r--  1 otherusr root 0 Sep 23 19:27 statm
-r--r--r--  1 otherusr root 0 Sep 23 19:27 status
[myuser@server2 ~]$ ls /proc/ | egrep "[0-9]{1,9}";
17363
17364
26124
26125
3363
3364
[myuser@server2 ~]$ sudo -u otheruser ls /proc/ | egrep "[0-9]{1,9}"
26132
32703
32705
[myuser@server2 ~]$ umask
0002
[root@server2 ~]# umask
0022

有任何想法嗎?

根據以下文章中的資訊,我確定了 3 個可能的解決方案。

哪些狀態 grsecurty 可能導致使用者無法看到其他使用者的 pid,/proc/並且 OVH(我的託管公司)使用使用 Grsecurity 編譯的自定義核心

$ uname -r
3.14.32-xxxx-grs-ipv6-64

可能的解決辦法是:

  1. 刪除 grsecurity
  2. 編輯政策以允許此類使用
  3. 確保其他管理員了解新的安全措施

對我來說,教育其他管理員是最好的選擇,因為安全是第一位的。不過還是有點希望他們能告訴我們這樣的事情。謝謝你的幫助!

一種可能性是/proc安裝有hidepid=1hidepid=2。這個掛載選項是在後來的 Linux 核心中添加的,並在 CentOS 5.9 和 6.3 左右的某個時候向後移植。

Mount options
  The proc filesystem supports the following mount options:

  hidepid=n (since Linux 3.3)
         This option controls who can access the information in
         /proc/[pid] directories.  The argument, n, is one of the
         following values:

         0   Everybody may access all /proc/[pid] directories.  This is
             the traditional behavior, and the default if this mount
             option is not specified.

         1   Users may not access files and subdirectories inside any
             /proc/[pid] directories but their own (the /proc/[pid]
             directories themselves remain visible).  Sensitive files
             such as /proc/[pid]/cmdline and /proc/[pid]/status are now
             protected against other users.  This makes it impossible
             to learn whether any user is running a specific program
             (so long as the program doesn't otherwise reveal itself by
             its behavior).

         2   As for mode 1, but in addition the /proc/[pid] directories
             belonging to other users become invisible.  This means
             that /proc/[pid] entries can no longer be used to discover
             the PIDs on the system.  This doesn't hide the fact that a
             process with a specific PID value exists (it can be
             learned by other means, for example, by "kill -0 $PID"),
             but it hides a process's UID and GID, which could
             otherwise be learned by employing stat(2) on a /proc/[pid]
             directory.  This greatly complicates an attacker's task of
             gathering information about running processes (e.g.,
             discovering whether some daemon is running with elevated
             privileges, whether another user is running some sensitive
             program, whether other users are running any program at
             all, and so on).

另一種可能性(由發布者發現並作為參考資訊添加到此答案中)是grsecurity,它具有將其他使用者的程序隱藏在非特權使用者面前的功能,作為其文件系統強化的一部分。

為非特權使用者隱藏其他使用者的程序

雖然上游核心現在為 /proc 提供了一個掛載選項來隱藏其他非特權使用者的程序,但 grsecurity 通過預設隱藏此類資訊、在 /proc 中隱藏核心提供的其他敏感資訊源以及隱藏私有網路來超越這一點——所有使用者的相關資訊。網路資訊不僅侵犯了系統上其他使用者的隱私,而且在過去對 TCP 劫持攻擊也很有用。

引用自:https://serverfault.com/questions/724421