Ytdyklly

The command hidepid is used to prevent users from seeing all processes that do not belong to them, but it doesn't offer the possibility of selecting a specific process. Is it possible to hide only one process on a Linux machine?

A bit dirty, and there is probably a cleaner solution (maybe using SELinux or grsec), but you can hide a process by mounting an empty directory inside of /proc/<pid>.

For example, something like this:

mount -o bind /empty/dir /proc/42

will prevent regular users from seeing process 42.

They will, however, see that something is hidden as they will be able to see the mount point.

If you want to do this for a service you would have to do this every time it is started, using its init script or whatever.

If you want to hide the pid only from a specific user, you could play with namespaces (maybe using pam_namespace) to have the mount bind done only in the namespace of the target user.

Since kernel 3.3 it has implemented something to make what you need.

According PROC(5):

hidepid=n (since Linux 3.3)

              This option controls who can access the information  in  /proc/[pid]  directories.

              The argument, n, is one of the following values:



              0   Everybody may access all /proc/[pid] directories.  This is the traditional be‐

                  havior, and the default if this mount option is not specified.



              1   Users may not access files and subdirectories inside any /proc/[pid]  directo‐

                  ries  but  their  own (the /proc/[pid] directories themselves remain visible).

                  Sensitive files such as /proc/[pid]/cmdline  and  /proc/[pid]/status  are  now

                  protected  against other users.  This makes it impossible to learn whether any

                  user is running a specific program (so long as the program  doesn't  otherwise

                  reveal itself by its behavior).



              2   As  for mode 1, but in addition the /proc/[pid] directories belonging to other

                  users become invisible.  This means that /proc/[pid] entries can no longer  be

                  used  to  discover  the PIDs on the system.  This doesn't hide the fact that a

                  process with a specific PID value exists (it can be learned  by  other  means,

                  for  example,  by "kill -0 $PID"), but it hides a process's UID and GID, which

                  could otherwise be learned by employing stat(2) on  a  /proc/[pid]  directory.

                  This  greatly  complicates  an  attacker's task of gathering information about

                  running processes (e.g., discovering whether some daemon is running with  ele‐

                  vated  privileges,  whether  another  user  is running some sensitive program,

                  whether other users are running any program at all, and so on).



       gid=gid (since Linux 3.3)

              Specifies the ID of a group whose members are authorized to learn process informa‐

              tion  otherwise  prohibited by hidepid (i.e., users in this group behave as though

              /proc was mounted with hidepid=0).  This group  should  be  used  instead  of  ap‐

              proaches such as putting nonroot users into the sudoers(5) file.

That's useful because you can choose who can read /proc/PID.

So in case you want to try it remember to remount /proc according your needs:

--practical case:

: su -

Password: 

root@foo:~# mount -o remount,hidepid=2 /proc

root@foo:~# exit

logout

:ps aux

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND

tntx          709  0.0  0.1  33980  8012 tty2      S   18:12   0:00 irssi

tntx          746  0.0  0.0   8868  3880 tty1     S    18:13   0:00 -ksh93

So now I have no way to see other process than mine via PS(1) or lsof(8)