Home / ubuntu / Questions / 991275
In Process
yukashima huksay
Asked: 2018-01-02 07:35:27 +0800 CST

How to hide the arguments sent to the executable from ps [duplicate]

  • 772

I've written a script that uses ps -G <groupid> -o uid,cmd to log the commands that a certain group of the users of a system run in time.

What I want to know is whether it's possible for the users to hide what they are doing from my script. And how can they do that if so. Please note that my users are not in sudo group. So they can't use prctl; I need another option that doesn't require administrative privileges

I thought wrapping my code in a function and setting an alias for it and calling that alias would hide my script but it doesn't seem to work. So is there anyway to hide the code from ps?

Here is an MVC of my code to show why I think the alias trick does not work:

#!/bin/bash
foo(){
    sleep 3 
    ps -G 1,2,3 -o uid,cmd -H
}
alias bar='foo'
while true
do
    sleep 1
    ${BASH_ALIASES[bar]}
    echo 1 
done

And here is a summary of the related parts of what I get as the result:

myid -bash                             (Reasonable)
myid /bin/bash ./myscript.sh           (Reasonable)
myid /bin/bash ./mysctipt.sh           (I don't care but I wonder why it's appearing twice!)
myid ps -G 1,2,3 -o uid,cmd -H         (What I don't want to be viewable)
myid sshd: myusername@pts/9            (Reasonable)

Please note that there was some indention in the output (due to -H option in ps) that I removed and the indentions of the duplicate line was different.

From this I've concluded that making alias etc does not work. By does not work I mean that my users can't make alias for their commands and run those commands and hide their commands this way. Because if they could my ps command for which I had set an alias in my script shouldn't have appeared in the result.

So here is the question in simple words:

Is there anyway for the non-sudo users of my system to run some scripts in a way that I won't be able to notice using the ps command.

p.s. Please note that I'm aware of the pam methods for logging and stuff. I just want to see if this method works.

p.s.s. I pointed out the alias method because a friend told me this will work but it didn't. So I already explained that it doesn't seem to work to prevent people from coming and giving that as an answer.

request!!!

Can someone please explain to my why my question is closed as being an exact duplicate of another question while The answers in the mentioned question does not solve my problem at all!??

command-line

1 Answers

  1. Why not make a shell script with the same name that calls your command but filters the output with grep? Of course add the executable's directory to the beginning of $PATH so any call to your program will be your shell script. For example:

    #!/bin/bash
/bin/ps | /bin/grep -v "Process name"

    That will show all processes that ps shows except "Process name". Place it in a bash shell script using the full path for your commands. Place this command in /directory/x and add the below script to /etc/profile.d/path.sh

    #!/bin/bash
PATH="/directory/x:$PATH";

    This will override any reference to ps to your custom script. Lmk if you have any questions and hope this helps! :)

    • 0