Skip to content

Entries from February 2012.

Hide other users' processes in Linux

And at last we have the equivalent of security.bsd.see_other_uids in Linux without the need to mess around with grsecurity! This is a security feature I've waited to land in Linux for a LONG time.
This characteristic can be enabled if you have kernel 3.3 (EL6/rhel/centos users can get it from here - thanks ajb!), but hopefully RedHat and other distributions will backport this feature in their kernels, too. The required patches are here and here.

So, how it works? Simple:
- mount /proc with the option "hidepid=1" to stop a regular user to see other processes but his when doing `ps` or `top`
- mount /proc with the option "hidepid=2" to not only stop the user from seeing other processes, but also disables the user's capacity to list /proc/$PIDs that are not his
- mount /proc with the option "hidepid=0" to go back to standard behaviour, all users can see all processes - this is the default
- there is also the "gid=xxx" mount option that lets the specified gid see all processes, even when hidepid is set to 1 or 2

You can read more about it here.

Enjoy!