nixpkgs/nixos/modules/security/hidepid.xml

24 lines
1.1 KiB
XML
Raw Normal View History

<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-hidepid">
2018-09-30 01:51:11 +01:00
<title>Hiding process information</title>
<para>
Setting
2018-04-05 09:43:56 +01:00
<programlisting>
<xref linkend="opt-security.hideProcessInformation"/> = true;
</programlisting>
2019-09-18 21:13:35 +01:00
ensures that access to process information is restricted to the owning user. This implies, among other things, that command-line arguments remain private. Unless your deployment relies on unprivileged users being able to inspect the process information of other users, this option should be safe to enable.
2018-09-30 01:51:11 +01:00
</para>
<para>
2019-09-18 21:13:35 +01:00
Members of the <literal>proc</literal> group are exempt from process information hiding.
2018-09-30 01:51:11 +01:00
</para>
<para>
2019-09-18 21:13:35 +01:00
To allow a service <replaceable>foo</replaceable> to run without process information hiding, set
2018-04-05 09:43:56 +01:00
<programlisting>
<link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.<replaceable>foo</replaceable>.serviceConfig</link>.SupplementaryGroups = [ "proc" ];
</programlisting>
2018-09-30 01:51:11 +01:00
</para>
</chapter>