nixos/modules/security/hidepid.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

<chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-hidepid">

  <title>Hiding process information</title>

  <para>
    Setting
    <programlisting>
      security.hideProcessInformation = true;
    </programlisting>
    ensures that access to process information is restricted to the
    owning user.  This implies, among other things, that command-line
    arguments remain private.  Unless your deployment relies on unprivileged
    users being able to inspect the process information of other users, this
    option should be safe to enable.
  </para>

  <para>
    Members of the <literal>proc</literal> group are exempt from process
    information hiding.
  </para>

  <para>
    To allow a service <replaceable>foo</replaceable> to run without process information hiding, set
    <programlisting>
      systemd.services.<replaceable>foo</replaceable>.serviceConfig.SupplementaryGroups = [ "proc" ];
    </programlisting>
  </para>

</chapter>