From fee59977e0ead9f83f6634a6ec149e354d2c56c8 Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Tue, 5 May 2015 15:49:53 +0200 Subject: [PATCH] proc.5: Document /proc mount options Document the 'hidepid' and 'gid' mount options that were added in Linux 3.3. See https://bugzilla.kernel.org/show_bug.cgi?id=90641 Based on text by Vasiliy Kulikov in Documentation/filesystems/proc.txt. Reported-by: Cameron Norman Cowritten-by: Vasiliy Kulikov Signed-off-by: Michael Kerrisk --- man5/proc.5 | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 78 insertions(+), 1 deletion(-) diff --git a/man5/proc.5 b/man5/proc.5 index 5d3dfb4e0..868ea12fe 100644 --- a/man5/proc.5 +++ b/man5/proc.5 @@ -64,7 +64,84 @@ It is commonly mounted at .IR /proc . Most of it is read-only, but some files allow kernel variables to be changed. -.LP +.SS Mount options +The +.I proc +filesystem supports the following mount options: +.TP +.BR hidepid "=\fIn\fP (since Linux 3.3)" +.\" commit 0499680a42141d86417a8fbaa8c8db806bea1201 +This option controls who can access the information in +.IR /proc/[pid] +directories. +The argument, +.IR n , +is one of the following values: +.RS +.TP 4 +0 +Everybody may access all +.IR /proc/[pid] +directories. +This is the traditional behavior, +and the default if this mount option is not specified. +.TP +1 +Users may not access files and subdirectories inside any +.IR /proc/[pid] +directories but their own (the +.IR /proc/[pid] +directories themselves remain visible). +Sensitive files such as +.IR /proc/[pid]cmdline +and +.IR /proc/[pid]status +are now protected against other users. +This makes it impossible to learn whether any user is running a +specific program +(so long as the program doesn't otherwise reveal itself by its behavior). +.\" As an additional bonus, since +.\" .IR /proc/[pid]cmdline +.\" is unaccessible for other users, +.\" poorly written programs passing sensitive information via +.\" program arguments are now protected against local eavesdroppers. +.TP +2 +As for mode 1, but in addition the +.IR /proc/[pid] +directories belonging to other users become invisible. +This means that +.IR /proc/[pid] +entries can no longer be used to discover the PIDs on the system. +This doesn't hide the fact that a process with a specific PID value exists +(it can be learned by other means, for example, by "kill -0 $PID"), +but it hides a process's UID and GID, +which could otherwise be learned by employing +.BR stat (2) +on a +.IR /proc/[pid] +directory. +This greatly complicates an attacker's task of gathering +information about running processes (e.g., discovering whether +some daemon is running with elevated privileges, +whether another user is running some sensitive program, +whether other users are running any program at all, and so on). +.RE +.TP +.BR gid "=\fIgid\fP (since Linux 3.3)" +.\" commit 0499680a42141d86417a8fbaa8c8db806bea1201 +Specifies the ID of a group whose members are authorized to +learn process information otherwise prohibited by +.BR hidepid +(ie/e/, users in this group behave as though +.I /proc +was mounted with +.IR hidepid=0 . +This group should be used instead of approaches such as putting +nonroot users into the +.BR sudoers (5) +file. +.SS Files and directories The following list describes many of the files and directories under the .I /proc hierarchy.