Five years ago I wrote about kernel based process hiding in Linux (see articles Simple process hiding kernel patch, Process hiding Kernel patch for 2.6.24.x, RSBAC – Kernel based process hiding). It got time to continue the story and finally present you a real solution without the hassle of a self-compiled kernel.
How can I prevent users from seeing processes that do not belong to them?
In January 2012, Vasiliy Kulikov came up with a kernel patch that solved the problem nicely by adding a hidepid
mount option for procfs. The patch landed in Linux kernel 3.3.
In the meantime, this patch luckily also landed in the 3.2 kernel of Debian Wheezy (see backport request in Debian bug report #669028). This feature has been also pushed back into the kernel of Red Hat Enterprise Linux 6.3 (see RHEL 6.3 Release Notes), and from there to CentOS 6.3 and Scientific Linux 6.3. Recently, this feature was even backported to the 2.6.18 kernel in RHEL 5.9.
As Proxmox VE currently runs on a RHEL based 2.6.32 kernel, it’s also supported in my favorite OpenVZ/KVM virtualization platform. Great!
hidepid=0
(default) means the current behaviour – anybody may read all
world-readable /proc/PID/* files.
hidepid=1
means users may not access any /proc/PID/ directories, but their
own. Sensitive files like cmdline, io, sched*, status, wchan are now
protected against other users. As permission checking done in
proc_pid_permission() and files› permissions are left untouched,
programs expecting specific files› permissions are not confused.
hidepid=2
means hidepid=1 plus all /proc/PID/ will be invisible to
other users. It doesn’t mean that it hides a fact whether a process
exists (it can be learned by other means, e.g. by sending signals), but
it hides process› euid and egid. It greatly compicates intruder’s task of
gathering info about running processes, whether some daemon runs with
elevated privileges, whether other user runs some sensitive program,
whether other users run any program at all, etc.
On a shared server I strongly recommend to enable the hidepid=2
procfs mount option. This can be done at runtime by remounting procfs:
1 2 3 4 5 6 7 8 9 |
$ mount | grep ^proc proc on /proc type proc (rw,relatime) $ mount -o remount,hidepid=2 /proc $ mount | grep ^proc proc on /proc type proc (rw,relatime,hidepid=2) |
You may also add this mount option directly to /etc/fstab
in order to make it persistent:
1 2 3 4 |
# <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults,hidepid=2 0 0 |
A regular system user will then only see his own processes, e.g.:
1 2 3 4 5 6 |
testuser@web:~$ ps PID TTY TIME CMD 17486 pts/0 00:00:00 bash 24806 pts/0 00:00:00 ps |
This also works for other commands like pstree, top, htop,…
To get process hiding working inside a Proxmox VE container, simply remount procfs inside the VE, e.g. by the following init script »/etc/init.d/system-hardening»:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
#!/bin/bash ### BEGIN INIT INFO # Provides: system-hardening # Required-Start: $all # Required-Stop: $local_fs $remote_fs $syslog $named $network # Should-Start: # Should-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Run system-hardening startup actions # Description: Run system-hardening startup actions ### END INIT INFO . /lib/lsb/init-functions log_daemon_msg "Added proc mount option (hidepid=2)" mount -o remount,hidepid=2 /proc log_end_msg $? |
Install the init script:
1 2 3 |
$ insserv system-hardening |
links/credits to:
Mrz 01, 2015 - 04:02 PM
What is the purpose of this ?
If someone would have root access, anytime she/he can remount /proc with hidepid=0.
Mrz 06, 2015 - 08:47 AM
You’re a funny guy. What exactly is the purpose of you handing out root access to the whole world?