A simple method of hiding processes from other users on Linux system

Time:2021-11-30

I use a multi-user system. Most users access their resources through SSH clients. How can I avoid divulging process information to them? How to prevent / prevent them from seeing processes that do not belong to them on Debian / Ubuntu / RHEL / CentOS Linux server? Method of hiding process from other users on Linux

Solution / solution:
If you use a Linux kernel version of 3.2 or above (or RHEL / CentOS version of 6.5 or above), you can hide processes from other users. Only the root user can see all processes, while the non root user can only see their own process information. All you need to do is turn on the Linux kernel hardening option “hidepid” to remount the / proc file system.

Recognize the hidepid option
This option defines how much process information we want non process owners to see.
The value of hidepid represents the following meanings:

    1. hidepid=0    ——— In the default mode (classic mode), anyone can view the world readable file in / proc / PID / *
    Explanation: World readable files: in Linux, we divide file permissions into three groups: user, group and other, which is also called world. Therefore, world readable means that the other group has – R permission.

2. hidepid=1    ——— It means that users cannot enter the directory under / proc /, but can only enter their own directory. Therefore, some sensitive files, such as CmdLine, sched *, status, are protected. When the user enters PS, top and other commands, the user can’t see those processes that don’t belong to him!! However, you can still see the process IDs under / proc

3. hidepid=2   ——— This indicates that the file access permission of hidepid = 1 is restricted. Under this setting, / proc / PID / is invisible to any user — even if you invade the / proc directory, you can’t see the process IDs. Whether some daemons run with elevated permissions, whether other users run some sensitive programs, whether other users run any programs, etc., the setting of this parameter makes it more complex and difficult for intruders to collect system operation process information.

Linux kernel protection: a method of hiding processes from other users on Linux
Enter the following command to set the value of the hidepid option to re hang in / proc

Copy code

The code is as follows:

# mount -o remount,rw,hidepid=2 /proc

Edit the / etc / fstab file and hang it in / proc as above after system restart:

Copy code

The code is as follows:

# vi /etc/fstab

Change the line of proc mount to the following:

Copy code

The code is as follows:

proc /proc proc defaults,hidepid=2 0 0

Then save and close the file.

The next step is to demonstrate whether the “method of hiding processes from other users on Linux” is effective
In this example, I log in to VPS as Dabu and root respectively. I just need to open a window in xshell or log in directly with SSH command on the command line. Assuming that I have logged in Dabu and root at the same time, hidepid = 0 is the default.
First open a.txt file in root

Copy code

The code is as follows:

#vi a.txt

Do not close the file, and then go to Dabu for operation and execution

Copy code

The code is as follows:

$ ps -ef

Another result is as follows:

Copy code

The code is as follows:

root 16601 12120 0 16:19 pts/1 00:00:00 vi a.txt

Similarly, execute:

Copy code

The code is as follows:

$top -bn1

You can also see a process in which root uses VI:

Copy code

The code is as follows:

17512 root 20 0 3488 1420 1192 S 0.0 0.5 0:00.00 vi

The above two results prove that when hidepid = 0 (the default), the process for root can be seen by Dabu.

Next, continue to execute the following command with root:

Copy code

The code is as follows:

# mount -o remount,rw,hidepid=2 /proc

Execute the following command with Dabu again to view the process;

Copy code

The code is as follows:

$ ps -ef

You can’t see the process just now in the returned result, and all non Dabu users can’t see it
As for top and htop, I can’t see them

Also, if you want LS / proc, you will be prompted that you cannot enter.

GID = XXX used with hidepid:
If we set hidepid = 2, only root can see all process information. In some cases, we also want a management group to see all process information.
Suppose the group here is the Admin Group, and its GID is 1001   : We can change the proc line in the / etc / fstab file to;

Copy code

The code is as follows:

proc /proc proc defaults,hidepid=2,gid=1001 0 0

Or

Copy code

The code is as follows:

proc /proc proc defaults,hidepid=2,gid=admin 0 0

View the ID of a group and execute the command:

Copy code

The code is as follows:

#ID group name

View the ID of a user and execute the command:

Copy code

The code is as follows:

#ID user name

Help ID command usage