run a multi-user system. Most users access resources using SSH client. How can I stop leaking process information to all users on Linux operating systems? How do I prevent users from seeing processes that do not belong to them on a Debian/Ubuntu/RHEL/CentOS Linux server? Is there any way to hide other users process when running ps command?
If you are using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) you can hide process from other users. Only root can see all process and user only see their own process. All you have to do is remount the /proc filesystem with the Linux kernel hardening hidepid option. This hides process from all other commands such as ps, top, htop, pgrep and more.
Linux hide processes from other users using hidepid option This option defines how much info about processes we want to be available for non-owners. The values are as follows:
1 2 3 4 5 6 7 8 9 10
hidepid=0 – The old behavior – anybody may read all world-readable /proc/PID/* files (default).
hidepid=1 – It means users may not access any /proc/<pid>/ directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users.
hidepid=2 It means hidepid=1 plus all /proc/PID/ will be invisible to other users. It compicates intruder’s task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.
Linux kernel protection: Hiding processes from other users Type the following mount command:
1
root# mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc
Edit /etc/fstab using a text editor such as nano command/vim command, enter:
1 2 3 4
root# vi /etc/fstab Update/append/modify proc entry as follows so that protection get enabled automatically at server boot-time:
Save and close the file. Where security mount options are as follows:
mount 选项解释
1 2 3 4
nosuid : Do not allow set-user-ID or set-group-ID bits to take effect. nodev : Do not interpret character or block special devices on the file system. noexec : Do not permit direct execution of any binaries on the mounted filesystem. hidepid: Option defines how much info about processes hidden.
Tip: Dealing with apps that breaks when you implement this technique You need to use gid=VALUE_HERE option:
gid=XXX defines a group that will be able to gather all processes’ info (as in hidepid=0 mode). This group should be used instead of putting nonroot user in sudoers file or something. However, untrusted users (like daemons, etc.) which are not supposed to monitor the tasks in the whole system should not be added to the group.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201 procfs: add hidepid= and gid= mount options Add support for mount options to restrict access to /proc/PID/ directories. The default backward-compatible "relaxed" behaviour is left untouched.
The first mount option is called "hidepid" and its value defines how much info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users. As permission checking done in proc_pid_permission() and files' permissions are left untouched, programs expecting specific files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other users. It doesn't mean that it hides whether a process exists (it can be learned by other means, e.g. by kill -0 $PID), but it hides process' euid and egid. It compicates intruder's task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info (as in hidepid=0 mode). This group should be used instead of putting nonroot user in sudoers file or something. However, untrusted users (like daemons, etc.) which are not supposed to monitor the tasks in the whole system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which might reveal some sensitive private information like precise keystrokes timings:
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and conky gracefully handle EPERM/ENOENT and behave as if the current user is the only user running processes. pstree shows the process subtree which contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping preopened descriptors of procfs files (like https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked information like the scheduling counters of setuid apps doesn't threaten anybody's privacy - only the user started the setuid program may read the counters.
微信