This is it. It works. Yes, I have "hidepid=2" configured proc mount, with your addition everything works as expected. Thank you very much Mantas.
On Sun, 4 Jun 2023 at 16:00, Mantas Mikulėnas <graw...@gmail.com> wrote: > Assuming you already have "hidepid" configured for /proc, you'll still > need to block access to the corresponding systemd D-Bus call: > > $ cat /etc/dbus-1/system.d/systemd-restrict.conf > > <?xml version="1.0"?> > <busconfig> > <policy user="root"> > <allow send_destination="org.freedesktop.systemd1" > send_interface="org.freedesktop.systemd1.Manager" > send_member="GetUnitProcesses"/> > </policy> > > <policy group="proc"> > <allow send_destination="org.freedesktop.systemd1" > send_interface="org.freedesktop.systemd1.Manager" > send_member="GetUnitProcesses"/> > </policy> > > <policy context="default"> > <deny send_destination="org.freedesktop.systemd1" > send_interface="org.freedesktop.systemd1.Manager" > send_member="GetUnitProcesses"/> > </policy> > </busconfig> > > > On Sun, Jun 4, 2023, 12:50 antisimus <antisi...@gmail.com> wrote: > >> Hello, >> >> Is there a way to hide process information (pids, command line) and >> prevent one user accessing other user processes information. >> >> On a shared system this can be a potential security risk and I really do >> not like idea users inspecting each other's running processes. >> Here I have user *bob *accessing user *alice *process info but same can >> be done even to inspect *root *users processes >> >> systemd 247 (247.3-7+deb11u2) >> Linux systemd-vps 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) >> x86_64 GNU/Linux >> >> bob@systemd-vps:~$ loginctl user-status alice >> alice (1002) >> Since: Sun 2023-06-04 08:37:18 UTC; 2min 39s ago >> State: active >> Sessions: *7 >> Linger: no >> Unit: user-1002.slice >> ├─session-7.scope >> │ ├─1025 sshd: alice [priv] >> │ ├─1046 sshd: alice@pts/1 >> │ ├─1047 -bash >> │ ├─1305 bash myapp.sh >> │ └─1306 sleep 5 >> └─user@1002.service >> └─init.scope >> ├─1028 /lib/systemd/systemd --user >> └─1029 (sd-pam) >> >> >> >> bob@systemd-vps:~$ loginctl user-status root >> root (0) >> Since: Sun 2023-06-04 09:43:03 UTC; 3min 45s ago >> State: active >> Sessions: 5 *1 >> Linger: no >> Unit: user-0.slice >> ├─session-1.scope >> │ ├─740 sshd: root@pts/0 >> │ ├─765 -bash >> │ ├─769 su - bob >> │ ├─770 -bash >> │ ├─877 loginctl user-status root >> │ └─878 less >> ├─session-5.scope >> │ ├─820 sshd: root@pts/2 >> │ ├─826 -bash >> │ └─872 sleep 100 >> └─user@0.service >> └─init.scope >> ├─747 /lib/systemd/systemd --user >> └─748 (sd-pam) >> >> >> Best regards, >> Ante >> >
