<div dir="ltr">This is it. It works.<br><br><div>Yes, I have "hidepid=2" configured proc mount, with your addition everything works as expected. <div>Thank you very much Mantas.<br></div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, 4 Jun 2023 at 16:00, Mantas Mikulėnas <<a href="mailto:grawity@gmail.com">grawity@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Assuming you already have "hidepid" configured for /proc, you'll still need to block access to the corresponding systemd D-Bus call:<div dir="auto"><br></div><div dir="auto"><div dir="auto">$ cat /etc/dbus-1/system.d/systemd-restrict.conf</div><div dir="auto"><br></div><div dir="auto"><?xml version="1.0"?></div><div dir="auto"><busconfig></div><div dir="auto"> <policy user="root"></div><div dir="auto"> <allow send_destination="org.freedesktop.systemd1"</div><div dir="auto"> send_interface="org.freedesktop.systemd1.Manager"</div><div dir="auto"> send_member="GetUnitProcesses"/></div><div dir="auto"> </policy></div><div dir="auto"><br></div><div dir="auto"> <policy group="proc"></div><div dir="auto"> <allow send_destination="org.freedesktop.systemd1"</div><div dir="auto"> send_interface="org.freedesktop.systemd1.Manager"</div><div dir="auto"> send_member="GetUnitProcesses"/></div><div dir="auto"> </policy></div><div dir="auto"><br></div><div dir="auto"> <policy context="default"></div><div dir="auto"> <deny send_destination="org.freedesktop.systemd1"</div><div dir="auto"> send_interface="org.freedesktop.systemd1.Manager"</div><div dir="auto"> send_member="GetUnitProcesses"/></div><div dir="auto"> </policy></div><div dir="auto"></busconfig></div><div dir="auto"><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Jun 4, 2023, 12:50 antisimus <<a href="mailto:antisimus@gmail.com" target="_blank">antisimus@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>Is there a way to hide process information (pids, command line) and prevent one user accessing other user processes information. </div><div><br></div><div>On a shared system this can be a potential security risk and I really do not like idea users inspecting each other's running processes. </div><div>Here I have user <b>bob </b>accessing user <b>alice </b>process info but same can be done even to inspect <b>root </b>users processes <br></div><div><br></div><div><font face="monospace">systemd 247 (247.3-7+deb11u2)<br>Linux systemd-vps 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux</font><br></div><div><br></div><div><font face="monospace">bob@systemd-vps:~$ loginctl user-status alice<br>alice (1002)<br> Since: Sun 2023-06-04 08:37:18 UTC; 2min 39s ago<br> State: active<br> Sessions: *7<br> Linger: no<br> Unit: user-1002.slice<br> ├─session-7.scope<br> │ ├─1025 sshd: alice [priv]<br> │ ├─1046 sshd: alice@pts/1<br> │ ├─1047 -bash<br> │ ├─1305 bash myapp.sh<br> │ └─1306 sleep 5<br> └─user@1002.service<br> └─init.scope<br> ├─1028 /lib/systemd/systemd --user<br> └─1029 (sd-pam)<br></font></div><div><br></div><div><br></div><div><br></div><div><font face="monospace"> bob@systemd-vps:~$ loginctl user-status root</font></div><font face="monospace">root (0)<br> Since: Sun 2023-06-04 09:43:03 UTC; 3min 45s ago<br> State: active<br> Sessions: 5 *1<br> Linger: no<br> Unit: user-0.slice<br> ├─session-1.scope<br> │ ├─740 sshd: root@pts/0<br> │ ├─765 -bash<br> │ ├─769 su - bob<br> │ ├─770 -bash<br> │ ├─877 loginctl user-status root<br> │ └─878 less<br> ├─session-5.scope<br> │ ├─820 sshd: root@pts/2<br> │ ├─826 -bash<br> │ └─872 sleep 100<br> └─user@0.service<br> └─init.scope<br> ├─747 /lib/systemd/systemd --user<br> └─748 (sd-pam)</font><br><br><div><br></div><div>Best regards,</div><div>Ante</div></div>
</blockquote></div>
</blockquote></div>