hidepid: hide a process from other users

tux_compThe Linux kernel 3.2+ has added an option to hide processes from other users as a part of kernel hardening. Only the user who owns the process and the root can see the process.

hidepid has been under discussion as early as late 2011. The git commit log is here. It is essentially an option to mount the virtual /proc filesystem. hidepid can have 3 values:

  • 0: default behaviour
  • 1: users may not access any /proc/<pid>/ directories, but their own. Sensitive files like cmdline, sched*, status are protected against other users.
  • 2: hidepid=1 plus all /proc/PID/ will be invisible to other users. It hides the process euid and guid.

To use it this option, edit your /etc/fstab as sudoer and add/edit the proc filesystem entry line as below:

proc /proc proc defaults,hidepid=2 0 0

You can remount /proc live (as root) as well:

# mount -o remount,rw,hidepid=2 /proc

Some apps might break when you use this option. You need to append the gid (group id) option to the fstab mount options to fix this. Notes from the commit log:

gid=XXX defines a group that will be able to gather all processes’ info (as in hidepid=0 mode). This group should be used instead of putting nonroot user in sudoers file or something. However, untrusted users (like daemons, etc.) which are not supposed to monitor the tasks in the whole system should not be added to the group.

Add the owner user’s group id to /etc/fstab as below:

proc /proc proc defaults,hidepid=2,gid=mygrp 0 0

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s