Hiding process information
Setting
= true;
ensures that access to process information is restricted to the owning user.
This implies, among other things, that command-line arguments remain private.
Unless your deployment relies on unprivileged users being able to inspect the
process information of other users, this option should be safe to enable.
Members of the proc group are exempt from process
information hiding.
To allow a service foo to run without process
information hiding, set
systemd.services.foo.serviceConfig.SupplementaryGroups = [ "proc" ];