Hi Jim
Its a new setup where app team need to monitor the processes running by different app users from specific user id to whom I have to give proc_owner priviledge
As per my testing on my VM machine proc_info privilege by default is given to every user so I think we need to give proc_owner priviledge.
Note: User1 and user2 created before running these commands only
root@sol11:~# usermod -K 'defaultpriv=basic,proc_owner' user1
user2@sol11:/proc$ ppriv -v $$
1020: -bash
flags = <none>
E: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
I: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
P: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
L: contract_event,contract_identity,contract_observer,cpc_cpu,dax_access,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
user2@sol11:/proc$
user2@sol11:/proc$
user2@sol11:/proc$ ppriv $$
1020: -bash
flags = <none>
E: basic
I: basic
P: basic
L: all
user2@sol11:/proc$
user1@sol11:/proc$ ppriv $$
1030: -bash
flags = <none>
E: basic,proc_owner
I: basic,proc_owner
P: basic,proc_owner
L: all
user1@sol11:/proc$
user1@sol11:/proc$ ppriv -v $$
1030: -bash
flags = <none>
E: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_owner,proc_session,sys_ib_info
I: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_owner,proc_session,sys_ib_info
P: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_owner,proc_session,sys_ib_info
L: contract_event,contract_identity,contract_observer,cpc_cpu,dax_access,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
user1@sol11:/proc$
--- Post updated at 12:12 AM ---
Hi Jim
My only concern is that proc_owner doesn't pose any risk other than seeing the process running by other user. If I can restrict that specific user to see only processes related to specific users on the system then it would be great.