Image
How to hide PID listings from non-root users in Linux
Prevent average users from viewing your Linux system's processes with the hidepid command.
In general, what runs on your server should be considered private information that is shared only on a need-to-know basis. If there's no reason for a user to have insight into what services are running on a server, then a user probably shouldn't have permission to view process ID (PID) listings.
[ Free cheat sheet: Get a list of Linux utilities and commands for managing servers and networks. ]
Finding a service
It's common, by default, for a regular Linux account (emad
in this example) to be able to view a PID listing using ps
, pgrep
, pidof
, and so on:
$ sudo su – emad
$ ps -ef | wc -l
229
A user usually can see all processes. It's a lot of output, but if a user is searching for something specific, such as database system processes such as PostgreSQL (a popular open source database), it's pretty easy to find:
$ ps -ef | grep postgres
postgres 1143 [...] /usr/pgsql-12/bin/postmaster -D /var/lib/pgsql/12/data/
postgres 1151 [...] postgres: logger
postgres 1153 [...] postgres: checkpointer
postgres 1154 [...] postgres: background writer
postgres 1155 [...] postgres: walwriter
postgres 1156 [...] postgres: autovacuum launcher
postgres 1157 [...] postgres: stats collector
postgres 1158 [...] postgres: logical replication launcher
Not everyone needs to see what processes are running, so I use hidepid
.
[ Improve your skills managing and using SELinux with this helpful guide. ]
Use hidepid to hide processes
To prevent a user from seeing all the processes running on a system, mount the /proc
file system using the hidepid=2
option:
$ sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc
The hidepid
parameter value accepts three values:
- 0: This is the default. Every user can read all world-readable files stored in a process directory.
- 1: Root process directories remain listed in
/proc
but are not accessible to users. Users can access only their own process directories. This protects sensitive files likecmdline
,sched
, orstatus
from access by non-root users. This setting does not affect the actual file permissions. - 2: Process files are invisible to non-root users. The existence of a process can be learned by other means, but its effective user ID (UID) and group ID (GID) are hidden.
$ ps -ef | wc -l
63
$ ps -ef | grep postgres
emad 7091 7067 0 14:02 pts/0 00:00:00 grep --color=auto postgres
The directories representing PIDs are removed from /proc
. The user emad
can no longer view PostgreSQL database system process IDs.
Need to know
Instead of changing mount options as your system runs, add the hidepid
option to /etc/fstab
.
Securing your operating system is a continuous challenge, and with servers containing highly confidential data, it's important to think about what you want people to be able to stumble across on your system. Use hidepid
to remove processes from casual inspection.
Image
The PID namespace is an important one when it comes to building isolated environments. Find out why and how to use it.
Image
Every Linux user has a favorite single-line command. Here are the 20 Linux commands we can't live without.
Image
Learn how to locate, read, and use Linux system documentation with man, info, and /usr/share/doc files.
Emad Al-Mousa
Emad Al-Mousa is a Saudi IT professional with more than 15 years of experience. He is a project leader for multiple projects that are transforming business operations and enabling digital transformation. More about me