Virtualized /proc filesystem

Navigation:  Kernel Settings >

Virtualized /proc filesystem

Previous pageReturn to chapter overviewNext page

You can prevent user from seeing processes of other users (via ps/top command) as well as special files in  /proc file system by setting fs.proc_can_see_other_uid sysctl.

 

To do that, edit /etc/sysctl.conf

 

fs.proc_can_see_other_uid=0
fs.proc_super_gid=600

 

And do:

 

# sysctl -p

 

fs.proc_can_see_other_uid=0

 

If fs.proc_can_see_other_uid is set to 0, users will not be able to see special files. If it is set to 1 - user will see other processes IDs in /proc filesystem.

 

fs.proc_super_gid=XX

 

The fs.proc_super_gid sets group ID which will see system files in /proc , add any users to that group so they will see all files in /proc . Usually needed by some monitoring users like nagios or zabbix .

 

Virtualized /proc filesystem will only display following files (as well as directories for PIDs for the user) to unprivileged users:

 

/proc/cpuinfo
/proc/version
/proc/stat
/proc/uptime
/proc/loadavg
/proc/filesystems
/proc/stat
/proc/cmdline
/proc/meminfo
/proc/mounts
/proc/tcp
/proc/tcp6
/proc/udp
/proc/udp6
/proc/assocs
/proc/raw
/proc/raw6
/proc/unix
/proc/dev