How to hide a specific process?
The command hidepid is used to prevent users from seeing all processes that do not belong to them, but it doesn't offer the possibility of selecting a specific process. Is it possible to hide only one process on a Linux machine?
linux debian process
asked May 3 '16 at 17:28
GAD3RGAD3R
25.6k1750107
add a comment |
The command hidepid is used to prevent users from seeing all processes that do not belong to them, but it doesn't offer the possibility of selecting a specific process. Is it possible to hide only one process on a Linux machine?
linux debian process
asked May 3 '16 at 17:28
GAD3RGAD3R
25.6k1750107
Which version of Linux are you using? Or do you need one that works on multiple distros?
– Peter David Carter
May 3 '16 at 17:39
@PeterDavidCarter Debian jessie.
– GAD3R
May 3 '16 at 17:40
add a comment |
The command hidepid is used to prevent users from seeing all processes that do not belong to them, but it doesn't offer the possibility of selecting a specific process. Is it possible to hide only one process on a Linux machine?
linux debian process
asked May 3 '16 at 17:28
GAD3RGAD3R
25.6k1750107
The command hidepid is used to prevent users from seeing all processes that do not belong to them, but it doesn't offer the possibility of selecting a specific process. Is it possible to hide only one process on a Linux machine?
linux debian process
linux debian process
asked May 3 '16 at 17:28
GAD3RGAD3R
25.6k1750107
asked May 3 '16 at 17:28
GAD3RGAD3R
25.6k1750107
edited May 3 '16 at 17:40
GAD3R
asked May 3 '16 at 17:28
GAD3RGAD3R
25.6k1750107
asked May 3 '16 at 17:28
GAD3RGAD3R
25.6k1750107
asked May 3 '16 at 17:28
GAD3RGAD3R
25.6k1750107
25.6k1750107
Which version of Linux are you using? Or do you need one that works on multiple distros?
– Peter David Carter
May 3 '16 at 17:39
@PeterDavidCarter Debian jessie.
– GAD3R
May 3 '16 at 17:40
add a comment |
Which version of Linux are you using? Or do you need one that works on multiple distros?
– Peter David Carter
May 3 '16 at 17:39
@PeterDavidCarter Debian jessie.
– GAD3R
May 3 '16 at 17:40
Which version of Linux are you using? Or do you need one that works on multiple distros?
– Peter David Carter
May 3 '16 at 17:39
Which version of Linux are you using? Or do you need one that works on multiple distros?
– Peter David Carter
May 3 '16 at 17:39
@PeterDavidCarter Debian jessie.
– GAD3R
May 3 '16 at 17:40
@PeterDavidCarter Debian jessie.
– GAD3R
May 3 '16 at 17:40
add a comment |
2 Answers
2
active
oldest
votes
A bit dirty, and there is probably a cleaner solution (maybe using SELinux or grsec), but you can hide a process by mounting an empty directory inside of /proc/<pid>.
For example, something like this:
mount -o bind /empty/dir /proc/42
will prevent regular users from seeing process 42.
They will, however, see that something is hidden as they will be able to see the mount point.
If you want to do this for a service you would have to do this every time it is started, using its init script or whatever.
If you want to hide the pid only from a specific user, you could play with namespaces (maybe using pam_namespace) to have the mount bind done only in the namespace of the target user.
edited 2 days ago
Jeff Schaller
39k1053125
answered May 3 '16 at 17:57
user60039user60039
49638
What's the command to reverse this?
– Avery235
Mar 10 '18 at 13:37
What are the ways for them to see the mount point?
– Avery235
Mar 31 '18 at 5:04
add a comment |
Since kernel 3.3 it has implemented something to make what you need.
According PROC(5):
hidepid=n (since Linux 3.3)
This option controls who can access the information in /proc/[pid] directories.
The argument, n, is one of the following values:
0 Everybody may access all /proc/[pid] directories. This is the traditional be‐
havior, and the default if this mount option is not specified.
1 Users may not access files and subdirectories inside any /proc/[pid] directo‐
ries but their own (the /proc/[pid] directories themselves remain visible).
Sensitive files such as /proc/[pid]/cmdline and /proc/[pid]/status are now
protected against other users. This makes it impossible to learn whether any
user is running a specific program (so long as the program doesn't otherwise
reveal itself by its behavior).
2 As for mode 1, but in addition the /proc/[pid] directories belonging to other
users become invisible. This means that /proc/[pid] entries can no longer be
used to discover the PIDs on the system. This doesn't hide the fact that a
process with a specific PID value exists (it can be learned by other means,
for example, by "kill -0 $PID"), but it hides a process's UID and GID, which
could otherwise be learned by employing stat(2) on a /proc/[pid] directory.
This greatly complicates an attacker's task of gathering information about
running processes (e.g., discovering whether some daemon is running with ele‐
vated privileges, whether another user is running some sensitive program,
whether other users are running any program at all, and so on).
gid=gid (since Linux 3.3)
Specifies the ID of a group whose members are authorized to learn process informa‐
tion otherwise prohibited by hidepid (i.e., users in this group behave as though
/proc was mounted with hidepid=0). This group should be used instead of ap‐
proaches such as putting nonroot users into the sudoers(5) file.
That's useful because you can choose who can read /proc/PID.
So in case you want to try it remember to remount /proc according your needs:
--practical case:
: su -
Password:
root@foo:~# mount -o remount,hidepid=2 /proc
root@foo:~# exit
logout
:ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
tntx 709 0.0 0.1 33980 8012 tty2 S 18:12 0:00 irssi
tntx 746 0.0 0.0 8868 3880 tty1 S 18:13 0:00 -ksh93
So now I have no way to see other process than mine via PS(1) or lsof(8)
answered 2 days ago
tntxtntx
642
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f280860%2fhow-to-hide-a-specific-process%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
A bit dirty, and there is probably a cleaner solution (maybe using SELinux or grsec), but you can hide a process by mounting an empty directory inside of /proc/<pid>.
For example, something like this:
mount -o bind /empty/dir /proc/42
will prevent regular users from seeing process 42.
They will, however, see that something is hidden as they will be able to see the mount point.
If you want to do this for a service you would have to do this every time it is started, using its init script or whatever.
If you want to hide the pid only from a specific user, you could play with namespaces (maybe using pam_namespace) to have the mount bind done only in the namespace of the target user.
edited 2 days ago
Jeff Schaller
39k1053125
answered May 3 '16 at 17:57
user60039user60039
49638
What's the command to reverse this?
– Avery235
Mar 10 '18 at 13:37
What are the ways for them to see the mount point?
– Avery235
Mar 31 '18 at 5:04
add a comment |
A bit dirty, and there is probably a cleaner solution (maybe using SELinux or grsec), but you can hide a process by mounting an empty directory inside of /proc/<pid>.
For example, something like this:
mount -o bind /empty/dir /proc/42
will prevent regular users from seeing process 42.
They will, however, see that something is hidden as they will be able to see the mount point.
If you want to do this for a service you would have to do this every time it is started, using its init script or whatever.
If you want to hide the pid only from a specific user, you could play with namespaces (maybe using pam_namespace) to have the mount bind done only in the namespace of the target user.
edited 2 days ago
Jeff Schaller
39k1053125
answered May 3 '16 at 17:57
user60039user60039
49638
What's the command to reverse this?
– Avery235
Mar 10 '18 at 13:37
What are the ways for them to see the mount point?
– Avery235
Mar 31 '18 at 5:04
add a comment |
A bit dirty, and there is probably a cleaner solution (maybe using SELinux or grsec), but you can hide a process by mounting an empty directory inside of /proc/<pid>.
For example, something like this:
mount -o bind /empty/dir /proc/42
will prevent regular users from seeing process 42.
They will, however, see that something is hidden as they will be able to see the mount point.
If you want to do this for a service you would have to do this every time it is started, using its init script or whatever.
If you want to hide the pid only from a specific user, you could play with namespaces (maybe using pam_namespace) to have the mount bind done only in the namespace of the target user.
edited 2 days ago
Jeff Schaller
39k1053125
answered May 3 '16 at 17:57
user60039user60039
49638
A bit dirty, and there is probably a cleaner solution (maybe using SELinux or grsec), but you can hide a process by mounting an empty directory inside of /proc/<pid>.
For example, something like this:
mount -o bind /empty/dir /proc/42
will prevent regular users from seeing process 42.
They will, however, see that something is hidden as they will be able to see the mount point.
If you want to do this for a service you would have to do this every time it is started, using its init script or whatever.
If you want to hide the pid only from a specific user, you could play with namespaces (maybe using pam_namespace) to have the mount bind done only in the namespace of the target user.
edited 2 days ago
Jeff Schaller
39k1053125
answered May 3 '16 at 17:57
user60039user60039
49638
edited 2 days ago
Jeff Schaller
39k1053125
edited 2 days ago
Jeff Schaller
39k1053125
edited 2 days ago
Jeff Schaller
39k1053125
39k1053125
answered May 3 '16 at 17:57
user60039user60039
49638
answered May 3 '16 at 17:57
user60039user60039
49638
answered May 3 '16 at 17:57
user60039user60039
49638
49638
What's the command to reverse this?
– Avery235
Mar 10 '18 at 13:37
What are the ways for them to see the mount point?
– Avery235
Mar 31 '18 at 5:04
add a comment |
What's the command to reverse this?
– Avery235
Mar 10 '18 at 13:37
What are the ways for them to see the mount point?
– Avery235
Mar 31 '18 at 5:04
What's the command to reverse this?
– Avery235
Mar 10 '18 at 13:37
What's the command to reverse this?
– Avery235
Mar 10 '18 at 13:37
What are the ways for them to see the mount point?
– Avery235
Mar 31 '18 at 5:04
What are the ways for them to see the mount point?
– Avery235
Mar 31 '18 at 5:04
add a comment |
Since kernel 3.3 it has implemented something to make what you need.
According PROC(5):
hidepid=n (since Linux 3.3)
This option controls who can access the information in /proc/[pid] directories.
The argument, n, is one of the following values:
0 Everybody may access all /proc/[pid] directories. This is the traditional be‐
havior, and the default if this mount option is not specified.
1 Users may not access files and subdirectories inside any /proc/[pid] directo‐
ries but their own (the /proc/[pid] directories themselves remain visible).
Sensitive files such as /proc/[pid]/cmdline and /proc/[pid]/status are now
protected against other users. This makes it impossible to learn whether any
user is running a specific program (so long as the program doesn't otherwise
reveal itself by its behavior).
2 As for mode 1, but in addition the /proc/[pid] directories belonging to other
users become invisible. This means that /proc/[pid] entries can no longer be
used to discover the PIDs on the system. This doesn't hide the fact that a
process with a specific PID value exists (it can be learned by other means,
for example, by "kill -0 $PID"), but it hides a process's UID and GID, which
could otherwise be learned by employing stat(2) on a /proc/[pid] directory.
This greatly complicates an attacker's task of gathering information about
running processes (e.g., discovering whether some daemon is running with ele‐
vated privileges, whether another user is running some sensitive program,
whether other users are running any program at all, and so on).
gid=gid (since Linux 3.3)
Specifies the ID of a group whose members are authorized to learn process informa‐
tion otherwise prohibited by hidepid (i.e., users in this group behave as though
/proc was mounted with hidepid=0). This group should be used instead of ap‐
proaches such as putting nonroot users into the sudoers(5) file.
That's useful because you can choose who can read /proc/PID.
So in case you want to try it remember to remount /proc according your needs:
--practical case:
: su -
Password:
root@foo:~# mount -o remount,hidepid=2 /proc
root@foo:~# exit
logout
:ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
tntx 709 0.0 0.1 33980 8012 tty2 S 18:12 0:00 irssi
tntx 746 0.0 0.0 8868 3880 tty1 S 18:13 0:00 -ksh93
So now I have no way to see other process than mine via PS(1) or lsof(8)
answered 2 days ago
tntxtntx
642
add a comment |
Since kernel 3.3 it has implemented something to make what you need.
According PROC(5):
hidepid=n (since Linux 3.3)
This option controls who can access the information in /proc/[pid] directories.
The argument, n, is one of the following values:
0 Everybody may access all /proc/[pid] directories. This is the traditional be‐
havior, and the default if this mount option is not specified.
1 Users may not access files and subdirectories inside any /proc/[pid] directo‐
ries but their own (the /proc/[pid] directories themselves remain visible).
Sensitive files such as /proc/[pid]/cmdline and /proc/[pid]/status are now
protected against other users. This makes it impossible to learn whether any
user is running a specific program (so long as the program doesn't otherwise
reveal itself by its behavior).
2 As for mode 1, but in addition the /proc/[pid] directories belonging to other
users become invisible. This means that /proc/[pid] entries can no longer be
used to discover the PIDs on the system. This doesn't hide the fact that a
process with a specific PID value exists (it can be learned by other means,
for example, by "kill -0 $PID"), but it hides a process's UID and GID, which
could otherwise be learned by employing stat(2) on a /proc/[pid] directory.
This greatly complicates an attacker's task of gathering information about
running processes (e.g., discovering whether some daemon is running with ele‐
vated privileges, whether another user is running some sensitive program,
whether other users are running any program at all, and so on).
gid=gid (since Linux 3.3)
Specifies the ID of a group whose members are authorized to learn process informa‐
tion otherwise prohibited by hidepid (i.e., users in this group behave as though
/proc was mounted with hidepid=0). This group should be used instead of ap‐
proaches such as putting nonroot users into the sudoers(5) file.
That's useful because you can choose who can read /proc/PID.
So in case you want to try it remember to remount /proc according your needs:
--practical case:
: su -
Password:
root@foo:~# mount -o remount,hidepid=2 /proc
root@foo:~# exit
logout
:ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
tntx 709 0.0 0.1 33980 8012 tty2 S 18:12 0:00 irssi
tntx 746 0.0 0.0 8868 3880 tty1 S 18:13 0:00 -ksh93
So now I have no way to see other process than mine via PS(1) or lsof(8)
answered 2 days ago
tntxtntx
642
add a comment |
Since kernel 3.3 it has implemented something to make what you need.
According PROC(5):
hidepid=n (since Linux 3.3)
This option controls who can access the information in /proc/[pid] directories.
The argument, n, is one of the following values:
0 Everybody may access all /proc/[pid] directories. This is the traditional be‐
havior, and the default if this mount option is not specified.
1 Users may not access files and subdirectories inside any /proc/[pid] directo‐
ries but their own (the /proc/[pid] directories themselves remain visible).
Sensitive files such as /proc/[pid]/cmdline and /proc/[pid]/status are now
protected against other users. This makes it impossible to learn whether any
user is running a specific program (so long as the program doesn't otherwise
reveal itself by its behavior).
2 As for mode 1, but in addition the /proc/[pid] directories belonging to other
users become invisible. This means that /proc/[pid] entries can no longer be
used to discover the PIDs on the system. This doesn't hide the fact that a
process with a specific PID value exists (it can be learned by other means,
for example, by "kill -0 $PID"), but it hides a process's UID and GID, which
could otherwise be learned by employing stat(2) on a /proc/[pid] directory.
This greatly complicates an attacker's task of gathering information about
running processes (e.g., discovering whether some daemon is running with ele‐
vated privileges, whether another user is running some sensitive program,
whether other users are running any program at all, and so on).
gid=gid (since Linux 3.3)
Specifies the ID of a group whose members are authorized to learn process informa‐
tion otherwise prohibited by hidepid (i.e., users in this group behave as though
/proc was mounted with hidepid=0). This group should be used instead of ap‐
proaches such as putting nonroot users into the sudoers(5) file.
That's useful because you can choose who can read /proc/PID.
So in case you want to try it remember to remount /proc according your needs:
--practical case:
: su -
Password:
root@foo:~# mount -o remount,hidepid=2 /proc
root@foo:~# exit
logout
:ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
tntx 709 0.0 0.1 33980 8012 tty2 S 18:12 0:00 irssi
tntx 746 0.0 0.0 8868 3880 tty1 S 18:13 0:00 -ksh93
So now I have no way to see other process than mine via PS(1) or lsof(8)
answered 2 days ago
tntxtntx
642
Since kernel 3.3 it has implemented something to make what you need.
According PROC(5):
hidepid=n (since Linux 3.3)
This option controls who can access the information in /proc/[pid] directories.
The argument, n, is one of the following values:
0 Everybody may access all /proc/[pid] directories. This is the traditional be‐
havior, and the default if this mount option is not specified.
1 Users may not access files and subdirectories inside any /proc/[pid] directo‐
ries but their own (the /proc/[pid] directories themselves remain visible).
Sensitive files such as /proc/[pid]/cmdline and /proc/[pid]/status are now
protected against other users. This makes it impossible to learn whether any
user is running a specific program (so long as the program doesn't otherwise
reveal itself by its behavior).
2 As for mode 1, but in addition the /proc/[pid] directories belonging to other
users become invisible. This means that /proc/[pid] entries can no longer be
used to discover the PIDs on the system. This doesn't hide the fact that a
process with a specific PID value exists (it can be learned by other means,
for example, by "kill -0 $PID"), but it hides a process's UID and GID, which
could otherwise be learned by employing stat(2) on a /proc/[pid] directory.
This greatly complicates an attacker's task of gathering information about
running processes (e.g., discovering whether some daemon is running with ele‐
vated privileges, whether another user is running some sensitive program,
whether other users are running any program at all, and so on).
gid=gid (since Linux 3.3)
Specifies the ID of a group whose members are authorized to learn process informa‐
tion otherwise prohibited by hidepid (i.e., users in this group behave as though
/proc was mounted with hidepid=0). This group should be used instead of ap‐
proaches such as putting nonroot users into the sudoers(5) file.
That's useful because you can choose who can read /proc/PID.
So in case you want to try it remember to remount /proc according your needs:
--practical case:
: su -
Password:
root@foo:~# mount -o remount,hidepid=2 /proc
root@foo:~# exit
logout
:ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
tntx 709 0.0 0.1 33980 8012 tty2 S 18:12 0:00 irssi
tntx 746 0.0 0.0 8868 3880 tty1 S 18:13 0:00 -ksh93
So now I have no way to see other process than mine via PS(1) or lsof(8)
answered 2 days ago
tntxtntx
642
answered 2 days ago
tntxtntx
642
answered 2 days ago
tntxtntx
642
answered 2 days ago
tntxtntx
642
642
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f280860%2fhow-to-hide-a-specific-process%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Which version of Linux are you using? Or do you need one that works on multiple distros?
– Peter David Carter
May 3 '16 at 17:39
@PeterDavidCarter Debian jessie.
– GAD3R
May 3 '16 at 17:40