mirror of https://github.com/mkerrisk/man-pages
proc.5: Document /proc mount options
Document the 'hidepid' and 'gid' mount options that were added in Linux 3.3. See https://bugzilla.kernel.org/show_bug.cgi?id=90641 Based on text by Vasiliy Kulikov in Documentation/filesystems/proc.txt. Reported-by: Cameron Norman <camerontnorman@gmail.com> Cowritten-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk
parent
3739cdd4f8
commit
fee59977e0
79
man5/proc.5
79
man5/proc.5
|
|
@ -64,7 +64,84 @@ It is commonly mounted at
|
|||
.IR /proc .
|
||||
Most of it is read-only, but some files allow kernel variables to be
|
||||
changed.
|
||||
.LP
|
||||
.SS Mount options
|
||||
The
|
||||
.I proc
|
||||
filesystem supports the following mount options:
|
||||
.TP
|
||||
.BR hidepid "=\fIn\fP (since Linux 3.3)"
|
||||
.\" commit 0499680a42141d86417a8fbaa8c8db806bea1201
|
||||
This option controls who can access the information in
|
||||
.IR /proc/[pid]
|
||||
directories.
|
||||
The argument,
|
||||
.IR n ,
|
||||
is one of the following values:
|
||||
.RS
|
||||
.TP 4
|
||||
0
|
||||
Everybody may access all
|
||||
.IR /proc/[pid]
|
||||
directories.
|
||||
This is the traditional behavior,
|
||||
and the default if this mount option is not specified.
|
||||
.TP
|
||||
1
|
||||
Users may not access files and subdirectories inside any
|
||||
.IR /proc/[pid]
|
||||
directories but their own (the
|
||||
.IR /proc/[pid]
|
||||
directories themselves remain visible).
|
||||
Sensitive files such as
|
||||
.IR /proc/[pid]cmdline
|
||||
and
|
||||
.IR /proc/[pid]status
|
||||
are now protected against other users.
|
||||
This makes it impossible to learn whether any user is running a
|
||||
specific program
|
||||
(so long as the program doesn't otherwise reveal itself by its behavior).
|
||||
.\" As an additional bonus, since
|
||||
.\" .IR /proc/[pid]cmdline
|
||||
.\" is unaccessible for other users,
|
||||
.\" poorly written programs passing sensitive information via
|
||||
.\" program arguments are now protected against local eavesdroppers.
|
||||
.TP
|
||||
2
|
||||
As for mode 1, but in addition the
|
||||
.IR /proc/[pid]
|
||||
directories belonging to other users become invisible.
|
||||
This means that
|
||||
.IR /proc/[pid]
|
||||
entries can no longer be used to discover the PIDs on the system.
|
||||
This doesn't hide the fact that a process with a specific PID value exists
|
||||
(it can be learned by other means, for example, by "kill -0 $PID"),
|
||||
but it hides a process's UID and GID,
|
||||
which could otherwise be learned by employing
|
||||
.BR stat (2)
|
||||
on a
|
||||
.IR /proc/[pid]
|
||||
directory.
|
||||
This greatly complicates an attacker's task of gathering
|
||||
information about running processes (e.g., discovering whether
|
||||
some daemon is running with elevated privileges,
|
||||
whether another user is running some sensitive program,
|
||||
whether other users are running any program at all, and so on).
|
||||
.RE
|
||||
.TP
|
||||
.BR gid "=\fIgid\fP (since Linux 3.3)"
|
||||
.\" commit 0499680a42141d86417a8fbaa8c8db806bea1201
|
||||
Specifies the ID of a group whose members are authorized to
|
||||
learn process information otherwise prohibited by
|
||||
.BR hidepid
|
||||
(ie/e/, users in this group behave as though
|
||||
.I /proc
|
||||
was mounted with
|
||||
.IR hidepid=0 .
|
||||
This group should be used instead of approaches such as putting
|
||||
nonroot users into the
|
||||
.BR sudoers (5)
|
||||
file.
|
||||
.SS Files and directories
|
||||
The following list describes many of the files and directories under the
|
||||
.I /proc
|
||||
hierarchy.
|
||||
|
|
|
|||
Loading…
Reference in New Issue