Is it possible for root to create an account that is invisible (processes, who, w, etc) to any regular user? With out having to result in modifying the system tools.


vexer

This can be done with the grsecurity kernel patches. I am running the 'medium' security level on my server, and root's processes etc are invisible to normal users when running ps, top etc. In fact I don't think a normal user can run dmesg or read from the proc filesystem.

http://www.grsecurity.net/

It's also good to note that this is a favorite trick of system crackers. They install a set of tools called a rootkit that effectively hides their presence from a casual inspection (a more detailed inspection of the /proc filesystem will turn up incongruities in most cases). These tools often insert a special module into the kernel and replace programs like w and ps with trojaned copies that hide the attacker's processes, although with the right patches to the kernel, you wouldn't need to touch the userspace stuff.

So yes, it is possible to do, The question is what are you trying to accomplish (hopefully not breaking into systems -- that's illegal)? Or to put it another way, what security or system problem do you want to solve by having hidden users and processes? I've never really played with this, so I'm curious what other people use this to accomplish.

I am aware of the rootkits and about the legal issues pretaining to the misuse of these programs. Although being a valid choice for my needs, it also blocks off root from noticing (which is not my intent). I'm looking to keep daemon versions completely private as well as keeping root's activities and other users to stay hidden to regular users with out also blinding root.