Linux: Hide Processes from Other Users

If you are into Linux OS hardening, then one of the ways to improve security is to hide the display of running processes and their arguments from other users. This feature is available if you are on a Linux kernel version of 3.2 or above that supports the new hidepid mount option for procfs or /proc filesystem.

With this feature turned on, only the root user will be able to view all processes. Other users will only be able to view their own processes. The hidepid option has 3 possible values:

hidepid=0 – default behavior – anybody may read all world-readable files within the /proc/PID/ directories.
hidepid=1 – means users may not access any /proc/PID/ directories, but their own. Sensitive pseudo-files like cmdline, sched and status are now protected against other users.
hidepid=2 – means hidepid=1 plus all /proc/PID/ will be invisible to other users. It complicates the intruder’s task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.

Changing Mount Point Options for /proc Filesystem

To change the mount point options of the /proc filesystem on a running system, use the mount command as the root user.

# mount -o remount,hidepid=2 /proc

1	# mount -o remount,hidepid=2 /proc

After making the changes, login to the system as a normal user and try running the following commands.

$ ps -ef
$ ls -ld /proc/[0-9]*

1 2	$ ps -ef $ ls -ld /proc/[0-9]*

The above commands should only be listing the processes that belong to the user.

To make the changes permanent, the /etc/fstab needs to be updated with the new hidepid=2 mount option.

proc    /proc    proc    rw,nosuid,nodev,noexec,relatime,hidepid=2    0    0

1	proc /proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2 0 0

Append “hidepid=2” to the end of the mount options. Your mount options could be slightly different from the above.

Allowing Access to Admin Group Members

If you have a group of administrators who require access rights to view all the processes, then you will need to use the additional gid mount option command.

First, assign these group of people to a specific group, eg. admin group.

Next, modify the mount options in /etc/fstab file to include this group.

proc    /proc    proc    rw,nosuid,nodev,noexec,relatime,hidepid=2,gid=admin    0    0

1	proc /proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2,gid=admin 0 0

Users who now belong to the admin group will be allowed to view all the processes. They will not need to use the root account.

Mohamed Ibrahim

ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, php, python, java, javascript, nodejs, react); plays_on(xbox, ps4); linux_desktop_user(true); }