Skip to content

Hiding processes from other users on Linux

Published by tex on December 10, 2016

If you are running a recent Kernel, you can achieve this benefit by mounting the /proc filesystem with the new hidepid option. This option was added in Linux kernel 3.3

The proc filesystem is a pseudo-filesystem which provides an interface to kernel data structures. It is commonly mounted at /proc. Most of it is read-only, but some files allow kernel variables to be changed.

The proc filesystem supports the following mount options:

hidepid=n (since Linux 3.3)

This option controls who can access the information in /proc/[pid] directories. The argument, n, is one of the following values:

              0   Everybody may access all /proc/[pid] directories.  This is
                  the traditional behavior, and the default if this mount
                  option is not specified.

              1   Users may not access files and subdirectories inside any
                  /proc/[pid] directories but their own (the /proc/[pid]
                  directories themselves remain visible).  Sensitive files
                  such as /proc/[pid]/cmdline and /proc/[pid]/status are now
                  protected against other users.  This makes it impossible
                  to learn whether any user is running a specific program
                  (so long as the program doesn't otherwise reveal itself by
                  its behaviour).

              2   As for mode 1, but in addition the /proc/[pid] directories
                  belonging to other users become invisible.  This means
                  that /proc/[pid] entries can no longer be used to discover
                  the PIDs on the system.  This doesn't hide the fact that a
                  process with a specific PID value exists (it can be
                  learned by other means, for example, by "kill -0 $PID"),
                  but it hides a process's UID and GID, which could
                  otherwise, be learned by employing stat(2) on a /proc/[pid]
                  directory.  This greatly complicates an attacker's task of
                  gathering information about running processes (e.g.,
                  discovering whether some daemon is running with elevated
                  privileges, whether another user is running some sensitive
                  program, whether other users are running any program at
                  all, and so on).

gid=gid (since Linux 3.3)

              Specifies the ID of a group whose members are authorised to
              learn process information otherwise prohibited by hidepid
              (i.e., users in this group behave as though /proc was mounted
              with hidepid=0).  This group should be used instead of
              approaches such as putting nonroot users into the sudoers(5)
              file.

Remounting proc with hidepid option:

mount -o remount,hidepid=2 /proc

Quick test:

root@ns:~# mount -o remount,hidepid=2 /proc
root@ns:~# su - marian
marian@ns:~$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
marian   48399  1.0  0.0  28696  4904 pts/0    S    22:14   0:00 -su
marian   48404  0.0  0.0  24584  2620 pts/0    R+   22:14   0:00 ps aux
marian@ns:~$

Also, you can add on fstab to ensure this protection is enabled by default:

echo "proc    /proc    proc    defaults,hidepid=2     0     0" >> /etc/fstab

References:

– man 5 proc
https://wiki.debian.org/Hardening

Published inLinuxSecurity