The Linux kernel 3.2+ has added an option to hide processes from other users as a part of kernel hardening. Only the user who owns the process and the root can see the process.
- 0: default behaviour
- 1: users may not access any /proc/<pid>/ directories, but their own. Sensitive files like cmdline, sched*, status are protected against other users.
- 2: hidepid=1 plus all /proc/PID/ will be invisible to other users. It hides the process euid and guid.
To use it this option, edit your /etc/fstab as sudoer and add/edit the proc filesystem entry line as below:
proc /proc proc defaults,hidepid=2 0 0
You can remount /proc live (as root) as well:
# mount -o remount,rw,hidepid=2 /proc
Some apps might break when you use this option. You need to append the gid (group id) option to the fstab mount options to fix this. Notes from the commit log:
gid=XXX defines a group that will be able to gather all processes’ info (as in hidepid=0 mode). This group should be used instead of putting nonroot user in sudoers file or something. However, untrusted users (like daemons, etc.) which are not supposed to monitor the tasks in the whole system should not be added to the group.
Add the owner user’s group id to /etc/fstab as below:
proc /proc proc defaults,hidepid=2,gid=mygrp 0 0