Blog

03/06/2019

Linux hide processes from other users and ps command



I run a multi-user system. Most users access resources using SSH client. How can I stop leaking process information to all users on Linux operating systems? How do I prevent users from seeing processes that do not belong to them on a Debian/Ubuntu/RHEL/CentOS Linux server? Is there any way to hide other users process when running ps command?

If you are using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) you can hide process from other users. Only root can see all process and user only see their own process. All you have to do is remount the /proc filesystem with the Linux kernel hardening hidepid option. This hides process from all other commands such as ps, top, htop, pgrep and more. [donotprint][/donotprint]

Linux hide processes from other users using hidepid option

This option defines how much info about processes we want to be available for non-owners. The values are as follows:

  1. hidepid=0 – The old behavior – anybody may read all world-readable /proc/PID/* files (default).
  2. hidepid=1 – It means users may not access any /proc// directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users.
  3. hidepid=2 It means hidepid=1 plus all /proc/PID/ will be invisible to other users. It compicates intruder’s task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.

Get the list of current processes on Linux

Run:
top
htop
ps aux

The ps command displaying the root user process and I am logged in as a regular user

Linux kernel protection: Hiding processes from other users

Type the following mount command:
# mount -o remount,rw,hidepid=2 /proc
Edit /etc/fstab, enter:
# vi /etc/fstab
Update/append/modify proc entry as follows so that protection get enabled automatically at server boot-time:

## append the following line ##
proc    /proc    proc    defaults,hidepid=2     0     0

Save and close the file.

Linux demo: Prevent users from seeing processes that do not belong to them

In this example, I’m login as vivek@cbz-test:
$ ssh vivek@cbz-test
$ ps -ef
$ sudo -s
# mount -o remount,rw,hidepid=2 /proc
$ ps -ef
$ top
$ htop

Sample outputs:

Animated gif 01: hidepid in action

Tip: Dealing with apps that breaks when you implement this technique

You need to use gid=VALUE_HERE option:

gid=XXX defines a group that will be able to gather all processes’ info (as in hidepid=0 mode). This group should be used instead of putting nonroot user in sudoers file or something. However, untrusted users (like daemons, etc.) which are not supposed to monitor the tasks in the whole system should not be added to the group.

So add the user called monapp to group (say admin) that want to see process information and mount /proc as follows in /etc/fstab:

proc /proc proc defaults,hidepid=2,gid=admin 0 0 
Conclusion

For more information see the following URLs:

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

20/08/2019

Start your Bitcoin Exchange with our Software

Start your Bitcoin Exchange with our Software Setup your white label bitcoin exchange right away. Or create your own cryptocurrency using...
14/08/2019

How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...
14/08/2019

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....