how to secure my computer

"Mikhail Zotov" <muxaul@lenta.ru> (06-04-17 20:46:11):

> > Yes, it doesn't only provide security, but even beauty. I like it
> > hiding processes not owned by the user requesting the process list.
>
> Hm. Is this really PaX that allows one to hide user processes? IIRC,
> one can disable PaX but still have this feature present by enabling
> appropriate settings in "Filesystem Protections" (Allow special group,
> GID for special group).

No, that's not a PaX feature, but a grsecurity feature. Remember that
PaX is packaged with grsecurity, but otherwise completely unrelated. So
yes, you can disable PaX and still get this feature.


> > In my opinion, that would be security by obscurity, so I wouldn't
> > use it for security purposes. It's just beautiful, because it makes
> > my 'ps' output much smaller.
>
> I agree with the point. IMHO, the feature also "improves" privacy on
> multi-user machines since users who don't belong to the "special
> group" can see only their own processes.

Well, there are other means of detecting 'well known' running processes,
e.g. '/tmp/' or '/var/run/', or even side channel attacks.


Regards.

Ertugrul Soeylemez wrote:
> "Mikhail Zotov" <muxaul@lenta.ru> (06-04-17 20:46:11):
> > Ertugrul Soeylemez wrote:
> > > In my opinion, that would be security by obscurity, so I wouldn't
> > > use it for security purposes. It's just beautiful, because it makes
> > > my 'ps' output much smaller.
> >
> > I agree with the point. IMHO, the feature also "improves" privacy on
> > multi-user machines since users who don't belong to the "special
> > group" can see only their own processes.
>
> Well, there are other means of detecting 'well known' running processes,
> e.g. '/tmp/' or '/var/run/', or even side channel attacks.

Yep, you are right again. :-)

--
Mikhail