By default proc
is mounted in a way that allows inspection of other users processes by any account on the system. This can be a security risk if attacker gets hold of one of the accounts on the machine as it can freely inspect processes and gather information that it perhaps shouldn’t have.
In order to restrict access we can add hidepid
mount option to /etc/fstab
:
proc /proc proc defaults,hidepid=2 0 0
To re-mount current /proc
you can use:
mount -o remount,rw,hidepid=2 /proc
But what if you need to allow specific users to access all PIDs on the system? A-ha! There’s also gid mount option which allows users that are members of this group to access all PIDs. Receives numerical group ID or simply a group name as its argument. For example:
gid=sudo