How to hide a specific process?












2














The command hidepid is used to prevent users from seeing all processes that do not belong to them, but it doesn't offer the possibility of selecting a specific process. Is it possible to hide only one process on a Linux machine?










share|improve this question
























  • Which version of Linux are you using? Or do you need one that works on multiple distros?
    – Peter David Carter
    May 3 '16 at 17:39










  • @PeterDavidCarter Debian jessie.
    – GAD3R
    May 3 '16 at 17:40
















2














The command hidepid is used to prevent users from seeing all processes that do not belong to them, but it doesn't offer the possibility of selecting a specific process. Is it possible to hide only one process on a Linux machine?










share|improve this question
























  • Which version of Linux are you using? Or do you need one that works on multiple distros?
    – Peter David Carter
    May 3 '16 at 17:39










  • @PeterDavidCarter Debian jessie.
    – GAD3R
    May 3 '16 at 17:40














2












2








2


2





The command hidepid is used to prevent users from seeing all processes that do not belong to them, but it doesn't offer the possibility of selecting a specific process. Is it possible to hide only one process on a Linux machine?










share|improve this question















The command hidepid is used to prevent users from seeing all processes that do not belong to them, but it doesn't offer the possibility of selecting a specific process. Is it possible to hide only one process on a Linux machine?







linux debian process






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited May 3 '16 at 17:40







GAD3R

















asked May 3 '16 at 17:28









GAD3RGAD3R

25.6k1750107




25.6k1750107












  • Which version of Linux are you using? Or do you need one that works on multiple distros?
    – Peter David Carter
    May 3 '16 at 17:39










  • @PeterDavidCarter Debian jessie.
    – GAD3R
    May 3 '16 at 17:40


















  • Which version of Linux are you using? Or do you need one that works on multiple distros?
    – Peter David Carter
    May 3 '16 at 17:39










  • @PeterDavidCarter Debian jessie.
    – GAD3R
    May 3 '16 at 17:40
















Which version of Linux are you using? Or do you need one that works on multiple distros?
– Peter David Carter
May 3 '16 at 17:39




Which version of Linux are you using? Or do you need one that works on multiple distros?
– Peter David Carter
May 3 '16 at 17:39












@PeterDavidCarter Debian jessie.
– GAD3R
May 3 '16 at 17:40




@PeterDavidCarter Debian jessie.
– GAD3R
May 3 '16 at 17:40










2 Answers
2






active

oldest

votes


















5














A bit dirty, and there is probably a cleaner solution (maybe using SELinux or grsec), but you can hide a process by mounting an empty directory inside of /proc/<pid>.



For example, something like this:



mount -o bind /empty/dir /proc/42


will prevent regular users from seeing process 42.



They will, however, see that something is hidden as they will be able to see the mount point.



If you want to do this for a service you would have to do this every time it is started, using its init script or whatever.



If you want to hide the pid only from a specific user, you could play with namespaces (maybe using pam_namespace) to have the mount bind done only in the namespace of the target user.






share|improve this answer























  • What's the command to reverse this?
    – Avery235
    Mar 10 '18 at 13:37










  • What are the ways for them to see the mount point?
    – Avery235
    Mar 31 '18 at 5:04





















1














Since kernel 3.3 it has implemented something to make what you need.



According PROC(5):



hidepid=n (since Linux 3.3)
This option controls who can access the information in /proc/[pid] directories.
The argument, n, is one of the following values:

0 Everybody may access all /proc/[pid] directories. This is the traditional be‐
havior, and the default if this mount option is not specified.

1 Users may not access files and subdirectories inside any /proc/[pid] directo‐
ries but their own (the /proc/[pid] directories themselves remain visible).
Sensitive files such as /proc/[pid]/cmdline and /proc/[pid]/status are now
protected against other users. This makes it impossible to learn whether any
user is running a specific program (so long as the program doesn't otherwise
reveal itself by its behavior).

2 As for mode 1, but in addition the /proc/[pid] directories belonging to other
users become invisible. This means that /proc/[pid] entries can no longer be
used to discover the PIDs on the system. This doesn't hide the fact that a
process with a specific PID value exists (it can be learned by other means,
for example, by "kill -0 $PID"), but it hides a process's UID and GID, which
could otherwise be learned by employing stat(2) on a /proc/[pid] directory.
This greatly complicates an attacker's task of gathering information about
running processes (e.g., discovering whether some daemon is running with ele‐
vated privileges, whether another user is running some sensitive program,
whether other users are running any program at all, and so on).

gid=gid (since Linux 3.3)
Specifies the ID of a group whose members are authorized to learn process informa‐
tion otherwise prohibited by hidepid (i.e., users in this group behave as though
/proc was mounted with hidepid=0). This group should be used instead of ap‐
proaches such as putting nonroot users into the sudoers(5) file.


That's useful because you can choose who can read /proc/PID.



So in case you want to try it remember to remount /proc according your needs:



--practical case:



: su -
Password:
root@foo:~# mount -o remount,hidepid=2 /proc
root@foo:~# exit
logout
:ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
tntx 709 0.0 0.1 33980 8012 tty2 S 18:12 0:00 irssi
tntx 746 0.0 0.0 8868 3880 tty1 S 18:13 0:00 -ksh93


So now I have no way to see other process than mine via PS(1) or lsof(8)






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f280860%2fhow-to-hide-a-specific-process%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    5














    A bit dirty, and there is probably a cleaner solution (maybe using SELinux or grsec), but you can hide a process by mounting an empty directory inside of /proc/<pid>.



    For example, something like this:



    mount -o bind /empty/dir /proc/42


    will prevent regular users from seeing process 42.



    They will, however, see that something is hidden as they will be able to see the mount point.



    If you want to do this for a service you would have to do this every time it is started, using its init script or whatever.



    If you want to hide the pid only from a specific user, you could play with namespaces (maybe using pam_namespace) to have the mount bind done only in the namespace of the target user.






    share|improve this answer























    • What's the command to reverse this?
      – Avery235
      Mar 10 '18 at 13:37










    • What are the ways for them to see the mount point?
      – Avery235
      Mar 31 '18 at 5:04


















    5














    A bit dirty, and there is probably a cleaner solution (maybe using SELinux or grsec), but you can hide a process by mounting an empty directory inside of /proc/<pid>.



    For example, something like this:



    mount -o bind /empty/dir /proc/42


    will prevent regular users from seeing process 42.



    They will, however, see that something is hidden as they will be able to see the mount point.



    If you want to do this for a service you would have to do this every time it is started, using its init script or whatever.



    If you want to hide the pid only from a specific user, you could play with namespaces (maybe using pam_namespace) to have the mount bind done only in the namespace of the target user.






    share|improve this answer























    • What's the command to reverse this?
      – Avery235
      Mar 10 '18 at 13:37










    • What are the ways for them to see the mount point?
      – Avery235
      Mar 31 '18 at 5:04
















    5












    5








    5






    A bit dirty, and there is probably a cleaner solution (maybe using SELinux or grsec), but you can hide a process by mounting an empty directory inside of /proc/<pid>.



    For example, something like this:



    mount -o bind /empty/dir /proc/42


    will prevent regular users from seeing process 42.



    They will, however, see that something is hidden as they will be able to see the mount point.



    If you want to do this for a service you would have to do this every time it is started, using its init script or whatever.



    If you want to hide the pid only from a specific user, you could play with namespaces (maybe using pam_namespace) to have the mount bind done only in the namespace of the target user.






    share|improve this answer














    A bit dirty, and there is probably a cleaner solution (maybe using SELinux or grsec), but you can hide a process by mounting an empty directory inside of /proc/<pid>.



    For example, something like this:



    mount -o bind /empty/dir /proc/42


    will prevent regular users from seeing process 42.



    They will, however, see that something is hidden as they will be able to see the mount point.



    If you want to do this for a service you would have to do this every time it is started, using its init script or whatever.



    If you want to hide the pid only from a specific user, you could play with namespaces (maybe using pam_namespace) to have the mount bind done only in the namespace of the target user.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 2 days ago









    Jeff Schaller

    39k1053125




    39k1053125










    answered May 3 '16 at 17:57









    user60039user60039

    49638




    49638












    • What's the command to reverse this?
      – Avery235
      Mar 10 '18 at 13:37










    • What are the ways for them to see the mount point?
      – Avery235
      Mar 31 '18 at 5:04




















    • What's the command to reverse this?
      – Avery235
      Mar 10 '18 at 13:37










    • What are the ways for them to see the mount point?
      – Avery235
      Mar 31 '18 at 5:04


















    What's the command to reverse this?
    – Avery235
    Mar 10 '18 at 13:37




    What's the command to reverse this?
    – Avery235
    Mar 10 '18 at 13:37












    What are the ways for them to see the mount point?
    – Avery235
    Mar 31 '18 at 5:04






    What are the ways for them to see the mount point?
    – Avery235
    Mar 31 '18 at 5:04















    1














    Since kernel 3.3 it has implemented something to make what you need.



    According PROC(5):



    hidepid=n (since Linux 3.3)
    This option controls who can access the information in /proc/[pid] directories.
    The argument, n, is one of the following values:

    0 Everybody may access all /proc/[pid] directories. This is the traditional be‐
    havior, and the default if this mount option is not specified.

    1 Users may not access files and subdirectories inside any /proc/[pid] directo‐
    ries but their own (the /proc/[pid] directories themselves remain visible).
    Sensitive files such as /proc/[pid]/cmdline and /proc/[pid]/status are now
    protected against other users. This makes it impossible to learn whether any
    user is running a specific program (so long as the program doesn't otherwise
    reveal itself by its behavior).

    2 As for mode 1, but in addition the /proc/[pid] directories belonging to other
    users become invisible. This means that /proc/[pid] entries can no longer be
    used to discover the PIDs on the system. This doesn't hide the fact that a
    process with a specific PID value exists (it can be learned by other means,
    for example, by "kill -0 $PID"), but it hides a process's UID and GID, which
    could otherwise be learned by employing stat(2) on a /proc/[pid] directory.
    This greatly complicates an attacker's task of gathering information about
    running processes (e.g., discovering whether some daemon is running with ele‐
    vated privileges, whether another user is running some sensitive program,
    whether other users are running any program at all, and so on).

    gid=gid (since Linux 3.3)
    Specifies the ID of a group whose members are authorized to learn process informa‐
    tion otherwise prohibited by hidepid (i.e., users in this group behave as though
    /proc was mounted with hidepid=0). This group should be used instead of ap‐
    proaches such as putting nonroot users into the sudoers(5) file.


    That's useful because you can choose who can read /proc/PID.



    So in case you want to try it remember to remount /proc according your needs:



    --practical case:



    : su -
    Password:
    root@foo:~# mount -o remount,hidepid=2 /proc
    root@foo:~# exit
    logout
    :ps aux
    USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
    tntx 709 0.0 0.1 33980 8012 tty2 S 18:12 0:00 irssi
    tntx 746 0.0 0.0 8868 3880 tty1 S 18:13 0:00 -ksh93


    So now I have no way to see other process than mine via PS(1) or lsof(8)






    share|improve this answer


























      1














      Since kernel 3.3 it has implemented something to make what you need.



      According PROC(5):



      hidepid=n (since Linux 3.3)
      This option controls who can access the information in /proc/[pid] directories.
      The argument, n, is one of the following values:

      0 Everybody may access all /proc/[pid] directories. This is the traditional be‐
      havior, and the default if this mount option is not specified.

      1 Users may not access files and subdirectories inside any /proc/[pid] directo‐
      ries but their own (the /proc/[pid] directories themselves remain visible).
      Sensitive files such as /proc/[pid]/cmdline and /proc/[pid]/status are now
      protected against other users. This makes it impossible to learn whether any
      user is running a specific program (so long as the program doesn't otherwise
      reveal itself by its behavior).

      2 As for mode 1, but in addition the /proc/[pid] directories belonging to other
      users become invisible. This means that /proc/[pid] entries can no longer be
      used to discover the PIDs on the system. This doesn't hide the fact that a
      process with a specific PID value exists (it can be learned by other means,
      for example, by "kill -0 $PID"), but it hides a process's UID and GID, which
      could otherwise be learned by employing stat(2) on a /proc/[pid] directory.
      This greatly complicates an attacker's task of gathering information about
      running processes (e.g., discovering whether some daemon is running with ele‐
      vated privileges, whether another user is running some sensitive program,
      whether other users are running any program at all, and so on).

      gid=gid (since Linux 3.3)
      Specifies the ID of a group whose members are authorized to learn process informa‐
      tion otherwise prohibited by hidepid (i.e., users in this group behave as though
      /proc was mounted with hidepid=0). This group should be used instead of ap‐
      proaches such as putting nonroot users into the sudoers(5) file.


      That's useful because you can choose who can read /proc/PID.



      So in case you want to try it remember to remount /proc according your needs:



      --practical case:



      : su -
      Password:
      root@foo:~# mount -o remount,hidepid=2 /proc
      root@foo:~# exit
      logout
      :ps aux
      USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
      tntx 709 0.0 0.1 33980 8012 tty2 S 18:12 0:00 irssi
      tntx 746 0.0 0.0 8868 3880 tty1 S 18:13 0:00 -ksh93


      So now I have no way to see other process than mine via PS(1) or lsof(8)






      share|improve this answer
























        1












        1








        1






        Since kernel 3.3 it has implemented something to make what you need.



        According PROC(5):



        hidepid=n (since Linux 3.3)
        This option controls who can access the information in /proc/[pid] directories.
        The argument, n, is one of the following values:

        0 Everybody may access all /proc/[pid] directories. This is the traditional be‐
        havior, and the default if this mount option is not specified.

        1 Users may not access files and subdirectories inside any /proc/[pid] directo‐
        ries but their own (the /proc/[pid] directories themselves remain visible).
        Sensitive files such as /proc/[pid]/cmdline and /proc/[pid]/status are now
        protected against other users. This makes it impossible to learn whether any
        user is running a specific program (so long as the program doesn't otherwise
        reveal itself by its behavior).

        2 As for mode 1, but in addition the /proc/[pid] directories belonging to other
        users become invisible. This means that /proc/[pid] entries can no longer be
        used to discover the PIDs on the system. This doesn't hide the fact that a
        process with a specific PID value exists (it can be learned by other means,
        for example, by "kill -0 $PID"), but it hides a process's UID and GID, which
        could otherwise be learned by employing stat(2) on a /proc/[pid] directory.
        This greatly complicates an attacker's task of gathering information about
        running processes (e.g., discovering whether some daemon is running with ele‐
        vated privileges, whether another user is running some sensitive program,
        whether other users are running any program at all, and so on).

        gid=gid (since Linux 3.3)
        Specifies the ID of a group whose members are authorized to learn process informa‐
        tion otherwise prohibited by hidepid (i.e., users in this group behave as though
        /proc was mounted with hidepid=0). This group should be used instead of ap‐
        proaches such as putting nonroot users into the sudoers(5) file.


        That's useful because you can choose who can read /proc/PID.



        So in case you want to try it remember to remount /proc according your needs:



        --practical case:



        : su -
        Password:
        root@foo:~# mount -o remount,hidepid=2 /proc
        root@foo:~# exit
        logout
        :ps aux
        USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
        tntx 709 0.0 0.1 33980 8012 tty2 S 18:12 0:00 irssi
        tntx 746 0.0 0.0 8868 3880 tty1 S 18:13 0:00 -ksh93


        So now I have no way to see other process than mine via PS(1) or lsof(8)






        share|improve this answer












        Since kernel 3.3 it has implemented something to make what you need.



        According PROC(5):



        hidepid=n (since Linux 3.3)
        This option controls who can access the information in /proc/[pid] directories.
        The argument, n, is one of the following values:

        0 Everybody may access all /proc/[pid] directories. This is the traditional be‐
        havior, and the default if this mount option is not specified.

        1 Users may not access files and subdirectories inside any /proc/[pid] directo‐
        ries but their own (the /proc/[pid] directories themselves remain visible).
        Sensitive files such as /proc/[pid]/cmdline and /proc/[pid]/status are now
        protected against other users. This makes it impossible to learn whether any
        user is running a specific program (so long as the program doesn't otherwise
        reveal itself by its behavior).

        2 As for mode 1, but in addition the /proc/[pid] directories belonging to other
        users become invisible. This means that /proc/[pid] entries can no longer be
        used to discover the PIDs on the system. This doesn't hide the fact that a
        process with a specific PID value exists (it can be learned by other means,
        for example, by "kill -0 $PID"), but it hides a process's UID and GID, which
        could otherwise be learned by employing stat(2) on a /proc/[pid] directory.
        This greatly complicates an attacker's task of gathering information about
        running processes (e.g., discovering whether some daemon is running with ele‐
        vated privileges, whether another user is running some sensitive program,
        whether other users are running any program at all, and so on).

        gid=gid (since Linux 3.3)
        Specifies the ID of a group whose members are authorized to learn process informa‐
        tion otherwise prohibited by hidepid (i.e., users in this group behave as though
        /proc was mounted with hidepid=0). This group should be used instead of ap‐
        proaches such as putting nonroot users into the sudoers(5) file.


        That's useful because you can choose who can read /proc/PID.



        So in case you want to try it remember to remount /proc according your needs:



        --practical case:



        : su -
        Password:
        root@foo:~# mount -o remount,hidepid=2 /proc
        root@foo:~# exit
        logout
        :ps aux
        USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
        tntx 709 0.0 0.1 33980 8012 tty2 S 18:12 0:00 irssi
        tntx 746 0.0 0.0 8868 3880 tty1 S 18:13 0:00 -ksh93


        So now I have no way to see other process than mine via PS(1) or lsof(8)







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 2 days ago









        tntxtntx

        642




        642






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f280860%2fhow-to-hide-a-specific-process%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to make a Squid Proxy server?

            Is this a new Fibonacci Identity?

            19世紀