Solved Let some users see full top/ps output

[spork]

It's been some time since I thought much about top or ps and setgid(2) operation. It seems like currently setgid(2) is not needed. This, I assume, is a good design.

But I've got a bit of a problem now - I have a jail where I do NOT want the majority of users to run top or ps so I have the sysctl security.bsd.see_other_uids set to "0". I would however like to have a few people that do not have root access to bypass the "see other uids" check. I could use sudo, but at least in the case of top, that's giving the user the ability to kill arbitrary processes as root.

Ideas? Workarounds?

 

[junovitch@]

Never tried myself, but the exempted group mentioned in mac_seeotheruids(4) may provide what you are looking for.

 

[spork]

Perfect, thanks!

This in sysctl.conf works great:

security.mac.seeotheruids.specificgid=21
security.mac.seeotheruids.specificgid_enabled=1
security.mac.seeotheruids.enabled=1

And in loader.conf if "options MAC_SEEOTHERUIDS" is not in your kernel config:

mac_seeotheruids_load="YES"

Awesome stuff. Need to read up more on MAC.