Hide Your Processes From Other Users in Linux

All modern multi-tasking operating systems, including Linux, run a series of processes for each of the tasks being executed. A notepad application is a process, a terminal window is a process, the SSH server is a process, each SSH connection is a process and so on. Linux schedules the various system resources (CPU time, memory, I/O) so that each process get an opportunity to run.

To see the list of current processes running, you can use the ps command. Try this in a terminal:

ps aux

The aux parameters tell ps to list all the system processes with extra information about who owns the processes and what calling parameters were used.

hidepid-ps-aux

As you can see, the list shows processes owned by different users including “pi” (the default Raspbian user on a Raspberry Pi), “root” and “www-data”. Here is a slightly modified screenshot which shows the processes along with fuller details about the commands and their parameters.

hidepid-ps-aux-john

If you look down the list, you will see the command nano MYBANKACCOUNTNUMBER.TXT which is owned by the user “john.” Imagine if the file name was a little more revealing than the example; such data is exposed to all users on the system and could be used for malicious purposes.

Since Linux kernel 3.2 there is a way to stop users getting access to information about processes which they don’t own. The ps command gets the process information from the /proc filesystem (where “proc” is short for process). There is a new parameter called “hidepid” which is used when the /proc filesystem is mounted. It can hide processes and controls who has access to the information under /proc.

  • hidepid=0 – The default behavior where any user can read the files under /proc/PID/
  • hidepid=1 – It means users may not access any /proc/PID/ sub-directory except their own. Also files like cmdline, io, sched*, status, wchan are inaccessible to other users.
  • hidepid=2 – Everything from hidepid=1, plus all /proc/PID/ sub-directories will be hidden to other users.

The /proc filesystem can be remounted on the fly using the remount option of the mount command. To test hidepid, you can remount the /proc filesystem like this:

sudo mount -o remount,rw,hidepid=2 /proc

Now you can try the ps command again:

ps aux

hidepid2-ps-aux

Now the output only shows processes that are owned by the user “pi”.

To make this change permanent, you need to edit your Pi’s “/etc/fstab” file. The “fstab” file controls which file systems are mounted at start up.

sudo nano /etc/fstab

And find the line which reads:

proc            /proc           proc    defaults          0       0

And change it to:

proc            /proc           proc    defaults,hidepid=2          0       0

Exit the editor using “Ctrl + X.” Now reboot your Raspberry Pi. When it reboots, check that the /proc filesystem has been mounted with the right options. First use mount and grep to see the current options:

mount | grep hidepid

hidepid-mount-grep

Now test the ps command, exactly as we have done above:

ps aux

Notice now that only the processes owned by “pi” are visible, but unlike before when we remounted the /proc file system, this is now the permanent setting. However one word of warning, even when hidepid is used, “root” can still see all the processes and the calling parameters.

The technique used above will work on other Linux machines and distributions, not just the Raspberry Pi with Raspbian. If you have questions about using the “hidepid” option on the /proc file system, please feel free to use the comments section below, and we will see if we can help.