I'm running a Debian server and giving out shell access for a handful of friends. I'd like to hide the running processes from those normal users, so that for example top only shows their own processes, and not anything started by anyone else. Obviously root should see all processes, though.
How would I do this? I've seen it in action on many shared hosting services that offer shell accounts, but haven't come across a way to do it myself.
Only with Linux is not possible. With SeLinux or GrSecurity you can "hide"(in fact, you don't give it access) processes between users. It's a little bit complicated, but not impossible.
There is the command line option -U
Monitor by user as: -U somebody Monitor only processes with a UID or user name matching that given. This matches real, effective, saved, and filesystem UIDs.
or -u
Monitor by user as: -u somebody Monitor only processes with an effective UID or user name matching that given.
How you would effectively enforce this on users who have command line access I don't really know. Given that users have access to the command line they could use a variety of other tools to see other peoples processes anyway.
If you aren't interested in SELinux, you could possibly get some traction with this problem by getting creative with permissions on the PID subdirectories in /proc/, but some massive testing would have to be done.
A quick and easy way for top, but not bullet-proof, is to give them an alias in their ~/.bashrc (or the shell-specific appropriate startup/alias file) that just runs top looking at their own username:
alias top="top -u $USER"
This doesn't do anything for ps or course, but aside from putting users in a chroot or jail environment, or selinux as Sacx mentioned, there's not a lot that you can do to hide the system from them.
Remounting procfs with hidepid=1 doesn't require SELinux or GRSecurity, and should be available in recent kernels. Just re-add procfs with the same mount options it has right now, to /etc/fstab, or change the existing (unlikely) entry.
