Debian GNU/Linux Debian 7.0 (aka Wheezy) will be a “general hardened” distribution in my eyes. Not only that it now enabled hardened building of packages (see http://wiki.debian.org/Hardening), the Kernel team also backported with 3.2.20-1 the IMO very interesting hidepid option (already available in Wheezy since some weeks)!
What is the job of “hidepid”?
hidepid is an new mount option for the procfs (/proc), with that you can hide processes and its information to other users, like other shell users and to web scripts.
hidepid accepts three different values:
- hidepid=0 (default): This is the default setting and gives you the default behaviour.
- hidepid=1: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc
- hidepid=2: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc!
Additionaly you can specifiy an user/group ID which is still able to look up the processes with the gid option. So if you want to hide all processes to other users, except root (uid=0) and in this example gid=1001 (some semi administrative user in this example) your /etc/fstab has to look like this:
proc /proc proc defaults,hidepid=2,gid=1001 0 0
It was a good descision to backport this feature IMO, but also be careful, it *may* break programs. I did not found any server related application which will break with hidepid=2, but we had to adjust our Nagios monitoring to execute some process checks with another UID, since the nagios user itself could not see anymore, if process A and B is still running.
Since a few people asked (thanks for it) with hidepid=2 the process IDs are not invisible, they are unavailable:
$ ls /proc/1
ls: cannot access /proc/1: No such file or directory
Pingback: Small Dropbear » Careful with PIDs
Note that on Ubuntu 12.04 at least, setting mount options for /proc in /etc/fstab doesn’t work. (Bug report: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1039887) I don’t know if Debian is affected. The work-around is to put “mount -o remount,hidepid=2 /proc” in /etc/rc.local.