In general, what runs on your server should be considered private information that is shared only on a need-to-know basis. If there's no reason for a user to have insight into what services are running on a server, then a user probably shouldn't have permission to view process ID (PID) listings.
[ Free cheat sheet: Get a list of Linux utilities and commands for managing servers and networks. ]
Finding a service
It's common, by default, for a regular Linux account (emad in this example) to be able to view a PID listing using ps, pgrep, pidof, and so on:
$ sudo su – emad
$ ps -ef | wc -l
229
A user usually can see all processes. It's a lot of output, but if a user is searching for something specific, such as database system processes such as PostgreSQL (a popular open source database), it's pretty easy to find:
$ ps -ef | grep postgres
postgres 1143 [...] /usr/pgsql-12/bin/postmaster -D /var/lib/pgsql/12/data/
postgres 1151 [...] postgres: logger
postgres 1153 [...] postgres: checkpointer
postgres 1154 [...] postgres: background writer
postgres 1155 [...] postgres: walwriter
postgres 1156 [...] postgres: autovacuum launcher
postgres 1157 [...] postgres: stats collector
postgres 1158 [...] postgres: logical replication launcher
Not everyone needs to see what processes are running, so I use hidepid.
[ Improve your skills managing and using SELinux with this helpful guide. ]
Use hidepid to hide processes
To prevent a user from seeing all the processes running on a system, mount the /proc file system using the hidepid=2 option:
$ sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc
The hidepid parameter value accepts three values:
- 0: This is the default. Every user can read all world-readable files stored in a process directory.
- 1: Root process directories remain listed in
/procbut are not accessible to users. Users can access only their own process directories. This protects sensitive files likecmdline,sched, orstatusfrom access by non-root users. This setting does not affect the actual file permissions. - 2: Process files are invisible to non-root users. The existence of a process can be learned by other means, but its effective user ID (UID) and group ID (GID) are hidden.
$ ps -ef | wc -l
63
$ ps -ef | grep postgres
emad 7091 7067 0 14:02 pts/0 00:00:00 grep --color=auto postgres
The directories representing PIDs are removed from /proc. The user emad can no longer view PostgreSQL database system process IDs.
Need to know
Instead of changing mount options as your system runs, add the hidepid option to /etc/fstab.
Securing your operating system is a continuous challenge, and with servers containing highly confidential data, it's important to think about what you want people to be able to stumble across on your system. Use hidepid to remove processes from casual inspection.
关于作者
Emad Al-Mousa is a Saudi IT professional with more than 15 years of experience. He is a project leader for multiple projects that are transforming business operations and enabling digital transformation. He has a passion for cybersecurity and has received recognition from multiple big tech companies.
