Re: Security by hiding processes

From: ellipse (
Date: 07/23/02

Date: Tue, 23 Jul 2002 12:22:06 +0000 (GMT)
From: ellipse <>
To: "Remco B. Brink" <>

> during a lively discussion in some Norwegian newsgroups the issue was
> raised of increasing security on a Linux server by not allowing users
> to view process listings.
> Suggestions like restricting access to /proc were named, but there
> were few suggestions on how to properly implement this.

It's my conviction that an application that requires the /proc file system
is, by default, broken. There have been problems with the /proc file
system implementations of various unix operating systems, and I suspect
there will be in the future.

A multi-user system should not, in my opinion, have a /proc filesystem at

> Personally I'm a bit sceptic towards this kind of security through
> obscurity, but I am hoping some of the readers of this list might have
> some input on this.
> Does hiding process give a false sense of security? Is it worth the
> effort? What problems can one run into by for example restricting
> access to /proc? Are there better ways to hide process information
> from users?

This is not obscurity. Information leakage is a valid vulnerability.
Anything that by default gives sensitive information to users that
probably shouldn't have it is, by default, broken. This is why we often
change the banners, and edit source to eliminate the overly nosey. By
limiting the amount of information untrusted users can gather, we limit
the vectors of entry for an attack.