Kernel 3.2+: Hide Processes From Other Normal Users!

In a multi-user system it was always possible for any user to list all running processes on the system whether or not these processes belong to the user!linuxkernel32rc6_dh_fx57

With linux kernel 3.2+ (RHEL/Centos 6.5+) there is a new added feature to give the root a full control over this issue where root will be the one who can list all running processes and all users will only list their own processes no more.

New mounting option: hidepid

The new option defines how much info about processes we want to be available for non-owners.The value of it will define the mode in mounting as follow:

hidepid=0 – The old behavior – anybody may read all world-readable /proc/PID/* files (default).

hidepid=1 – It means users may not access any /proc/ / directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users.

hidepid=2 It means hidepid=1 plus all /proc/PID/ will be invisible to other users. It compicates intruder’s task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.

This could be done through the command line as follow

# mount -o remount,rw,hidepid=2 /proc

Or by updating /etc/fstab

# vi /etc/fstab

proc    /proc    proc    defaults,hidepid=2     0     0

This will need # mount -a   to just re-read /etc/fstab

References:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s