This site is now 100% read-only, and retired.

Hiding processes from other users

Posted by Steve on Thu 13 Mar 2014 at 08:58

Tags: ,

If you run a multi-user system it can increase security if you hide the display of running processes, and their arguments, which belong to other users. This helps avoid problems if users enter passwords on the command-line, and similar.

If you're running a recent Kernel, (version 3.2 or higher), you can achieve this benefit by mounting the /proc filesystem with the new hidepid option:

Value Meaning


This is the default setting and gives you the default behaviour.


With this option a normal user would not see other processes but their own in ps, top etc, but would is still be able to see process IDs beneath /proc


Users are only able to see their own processes (as with with hidepid=1), but also any other process IDs are hidden for them if they manually poke around beneath /proc

It is worth noting that with the secure values set ("1", or "2") all processes remain visible to the root user.

If you decide you wish to enable this protection you can change the mount option interactively by running:

# mount -o remount /proc -o hidepid=2

To ensure this happens automatically at boot-time you can update your /etc/fstab file to read something like this:

proc    /proc    proc    defaults,hidepid=2     0     0

With this in place a user will only see their own processes in the output of top, ps, & etc:

s-blog@www:~$ ps -ef
s-blog     848 32483  0 08:55 pts/1    00:00:00 ps -ef
s-blog   32483 32482  0 08:54 pts/1    00:00:00 -bash

The root user will still see all processes though, for debugging purposes.

According to a recent post from the Debian Security Team it seems likely that the hidepid option will be proposed as a default in the future.



Re: Hiding processes from other users
Posted by Anonymous (92.133.xx.xx) on Thu 13 Mar 2014 at 18:22
The better way is to forbid to pass passwords and other sensitive data through command-line and similar because if you give the ability to hide process, you give a big help to hide malwares and other unwelcome process. Hiding informations to users is a really bad move coming from people who argue to defend and promote free and open softwares!

[ Parent ]

Re: Hiding processes from other users
Posted by Anonymous (71.123.xx.xx) on Fri 14 Mar 2014 at 02:46
Malware would still have to run as a some user on the system. If it is truly accidental malware, it is most likely running under your account, and thus would still show up in ps or top just fine.

As for how this interferes with the promotion of free software, I don't see how this is related or harmful.

[ Parent ]

Re: Hiding processes from other users
Posted by ajt (92.25.xx.xx) on Tue 18 Mar 2014 at 21:25
[ View Weblogs ]

I don't know how important it is for security, but it's sounds like a good idea from the perspective of basic sanity on a large multi-user system, where people can sometimes be overloaded with other people's information.

"It's Not Magic, It's Work"

[ Parent ]

Re: Hiding processes from other users
Posted by KIsmay (199.60.xx.xx) on Fri 1 Aug 2014 at 21:45
I use xymon to monitor my systems and alert me if cron or other tasks aren't running. It runs as an unprivileged user by default. So when I implement this technique on /proc, it breaks.

The solution to this is to add the xymon user to a group that is able to see process information, and then add that to the /proc mount options.

In my case, I used added xymon to the adm group, and changed fstab to this:
proc /proc proc defaults,hidepid=2,gid=adm 0 0

[ Parent ]

Re: Hiding processes from other users
Posted by Anonymous (87.92.xx.xx) on Sat 22 Nov 2014 at 14:38
Good tip! Thanks. This should have been the default since the birth of Unix. Users should not be able to spy what other users are doing.

[ Parent ]