All modern multi-tasking operating systems, including Linux, run a series of processes for each of the tasks being executed. A notepad application is a process, a terminal window is a process, the SSH server is a process, each SSH connection is a process and so on. Linux schedules the various system resources (CPU time, memory, I/O) so that each process get an opportunity to run.
To see the list of current processes running, you can use the
ps command. Try this in a terminal:
aux parameters tell
ps to list all the system processes with extra information about who owns the processes and what calling parameters were used.
As you can see, the list shows processes owned by different users including “pi” (the default Raspbian user on a Raspberry Pi), “root” and “www-data”. Here is a slightly modified screenshot which shows the processes along with fuller details about the commands and their parameters.
If you look down the list, you will see the command
nano MYBANKACCOUNTNUMBER.TXT which is owned by the user “john.” Imagine if the file name was a little more revealing than the example; such data is exposed to all users on the system and could be used for malicious purposes.
Since Linux kernel 3.2 there is a way to stop users getting access to information about processes which they don’t own. The
ps command gets the process information from the /proc filesystem (where “proc” is short for process). There is a new parameter called “hidepid” which is used when the /proc filesystem is mounted. It can hide processes and controls who has access to the information under /proc.
- hidepid=0 – The default behavior where any user can read the files under /proc/PID/
- hidepid=1 – It means users may not access any /proc/PID/ sub-directory except their own. Also files like cmdline, io, sched*, status, wchan are inaccessible to other users.
- hidepid=2 – Everything from hidepid=1, plus all /proc/PID/ sub-directories will be hidden to other users.
The /proc filesystem can be remounted on the fly using the remount option of the
mount command. To test hidepid, you can remount the /proc filesystem like this:
sudo mount -o remount,rw,hidepid=2 /proc
Now you can try the
ps command again:
Now the output only shows processes that are owned by the user “pi”.
To make this change permanent, you need to edit your Pi’s “/etc/fstab” file. The “fstab” file controls which file systems are mounted at start up.
sudo nano /etc/fstab
And find the line which reads:
proc /proc proc defaults 0 0
And change it to:
proc /proc proc defaults,hidepid=2 0 0
Exit the editor using “Ctrl + X.” Now reboot your Raspberry Pi. When it reboots, check that the /proc filesystem has been mounted with the right options. First use
grep to see the current options:
mount | grep hidepid
Now test the
ps command, exactly as we have done above:
Notice now that only the processes owned by “pi” are visible, but unlike before when we remounted the /proc file system, this is now the permanent setting. However one word of warning, even when hidepid is used, “root” can still see all the processes and the calling parameters.
The technique used above will work on other Linux machines and distributions, not just the Raspberry Pi with Raspbian. If you have questions about using the “hidepid” option on the /proc file system, please feel free to use the comments section below, and we will see if we can help.