Skip to content
This repository was archived by the owner on Apr 3, 2023. It is now read-only.

Adding option to not mount /proc at boot and adding Arch Linux. #2

Open
AroPix wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Adding option to not mount /proc at boot and adding Arch Linux. #2

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e6972bc
Adding option to not mount /proc at boot and adding Arch Linux.
AroPix Aug 30, 2022
de76604
Added temporary command for ptrace
AroPix Sep 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 81 additions & 36 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ This driver is not locked to any single process. Assume that websites utilizing

# Installation

This guide is written for *Ubuntu*. For other Linux flavors, adapt commands where needed.
This guide is written for *Ubuntu* and *Arch Linux*. For other Linux flavors, adapt commands where needed.

## (1) Allow Root Login

Expand All @@ -38,37 +38,50 @@ See [this page for more information](https://www.cyberciti.biz/faq/how-can-i-log

We'll ensure that non-root users are unable to see the `http-driver` service.

1. Switch to the `root` user:
1. Install dependencies:

```
su
sudo apt install -y vim # Ubuntu based distros
or
sudo pacman -S vim # Arch based distros
```

2. Install dependencies:

2. Hide `root` processes for non-root users:

Some components might not work when hiding `/proc`, like mounting a drive via as example Dolphin. This can be bypassed by mounting `/proc` only when necessary (Method 1), other than always hiding `/proc` on boot via fstab (Method2).

### Method 1 (Has to be done again after a reboot):


```
apt install -y vim
sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc
```

3. Open `/etc/fstab` with *vim*:
Reboot your system to see root processes again.


### Method 2 (Will always hide processes at boot, might break things):


Open `/etc/fstab` with *vim*:

```
vim /etc/fstab
sudo vim /etc/fstab
```

4. Add the following line:

Add this below in the text file:
```
proc /proc proc defaults,nosuid,nodev,noexec,relatime,hidepid=2 0 0
```

5. Reboot your system:
Reboot your system:

```
reboot
```

6. Check that your non-root user cannot see root processes:
3. Check that your non-root user cannot see root processes:

```
ps aux
Expand All @@ -77,82 +90,97 @@ ps aux
See [this page for more information](https://www.kernel.org/doc/Documentation/filesystems/proc.txt) on process isolation.

## (3) Disable Process Tracing

We'll ensure that non-root users cannot use `ptrace` capabilities.

1. Switch to the `root` user:
### Method 1 (Has to be done again after a reboot):

1. Change the `kernel.yama.ptrace_scope` value to `2`:

```
su
echo 2 | sudo tee /proc/sys/kernel/yama/ptrace_scope
```

2. Open `/etc/sysctl.d/10-ptrace.conf` with *vim*:
2. Check that the `ptrace_scope` is set to `2`:

```
sysctl kernel.yama.ptrace_scope
```

Set `ptrace_scope` to `1` if you want to return to the default value:

```
echo 1 | sudo tee /proc/sys/kernel/yama/ptrace_scope
```



### Method 2 (Will always disable `ptrace` on boot, may break things [i.e. League Of Legends])

See [this page for more information](https://www.kernel.org/doc/Documentation/security/Yama.txt) on process tracing.

1. Open `/etc/sysctl.d/10-ptrace.conf` with *vim*:

```
vim /etc/sysctl.d/10-ptrace.conf
sudo vim /etc/sysctl.d/10-ptrace.conf
```

3. Change the `kernel.yama.ptrace_scope` value to `2`:
2. Change the `kernel.yama.ptrace_scope` value to `2`:

```
kernel.yama.ptrace_scope = 2
```

4. Reboot your system:
3. Reboot your system:

```
reboot
```

5. Check that the `ptrace_scope` is set to `2`:
4. Check that the `ptrace_scope` is set to `2`:

```
sysctl kernel.yama.ptrace_scope
```

See [this page for more information](https://www.kernel.org/doc/Documentation/security/Yama.txt) on process tracing.

## (4) Install .NET

We'll ensure that `http-driver` can be compiled with *.NET*.

1. Switch to the `root` user:

```
su
```

2. Add the *Microsoft* package repositories:
1. Add the *Microsoft* package repositories:

* See https://docs.microsoft.com/en-us/dotnet/core/install/linux.
* Be sure to carefully follow instructions for your Linux flavor.

3. Install *.NET 6.0*:
2. Install *.NET 6.0*:

```
apt update && apt install -y dotnet-sdk-6.0
sudo apt update && apt install -y dotnet-sdk-6.0 # Ubuntu based distros
or
sudo pacman -S dotnet-sdk-6.0 # Arch based distros
```

## (5) Install Service

We'll install `http-driver` and register it as a service:

1. Switch to `root` user:
1. Install dependencies:

```
su
sudo apt install -y git # Ubuntu based distros
or
sudo pacman -S git # Arch based distros
```

2. Open the `/root` directory:
2. Switch to `root` user:

```
cd ~
su
```

3. Install dependencies:
3. Open the `/root` directory:

```
apt install -y git
cd ~
```

4. Clone this repository:
Expand Down Expand Up @@ -185,6 +213,23 @@ chmod +x service-install.sh
./service-install.sh
```

9. Optional (If Method 1 is used):

You should disable the service when using Method 1, as the processes will not be hidden automatically on boot, and just when using the mount command. Disable the automatic starting of the service with the command below. Else this might get you banned.

```
sudo systemctl disable <system name you specified before>
```
and


```
sudo systemctl start <system name you specified before>
```

Use this every time you want to use the driver again !!! DON'T USE WHEN ROOT PROCESSES AREN'T HIDDEN IN "ps aux" !!!


Once you've followed these instructions, `http-driver` is ready for use!

# Updating
Expand Down