Is it possible to 'hide' a process from the listing of `ps` or `top` on Linux
Solution 1
Well, you have a couple of options here. Taking the easy way out would be to swap the ps and top programs out with modified versions that hide what it is you want to hide.
The alternative would be to run your code embedded in an existing process, or write a wrapper-script around your code with an innocuous name.
In some versions of PS, you can modify it by changing argv[], but not sure if that works for top, and not sure if it works in linux (It's mainly a BSD convention).
It all depends, on exactly what you are looking to achieve by doing this?
Solution 2
According to kernel patch http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201, you can use the hidepid option for the proc filesystem:
hidepid=0 (default) means the old behavior - anybody may read all world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc// directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users. As permission checking done in proc_pid_permission() and files' permissions are left untouched, programs expecting specific files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other users. It doesn't mean that it hides whether a process exists (it can be learned by other means, e.g. by kill -0 $PID), but it hides process' euid and egid. It compicates intruder's task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info (as in hidepid=0 mode). This group should be used instead of putting nonroot user in sudoers file or something. However, untrusted users (like daemons, etc.) which are not supposed to monitor the tasks in the whole system should not be added to the group.
You are not able to control the visibility on process level however you can ensure that your users can see their own processes only.
In case you have kernel version greater than 3.3 you can make a try with the following command:
mount /proc -o remount,hidepid=2
Solution 3
The option described in this link worked for me. In that link, the author is hiding a process called evil_script.py
.
I'm pasting the content here just in case the link goes down:
-
First, create a file named processhider.c with the content found in this link: processhider.c
-
Compile the code with:
gcc -Wall -fPIC -shared -o libprocesshider.so processhider.c -ldl
-
Move the library with:
sudo mv libprocesshider.so /usr/local/lib/
-
Tell the dynamic linker to use it:
echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload
That is it. If you now run ps faux
you won't see any process called evil_script.py
.
Related videos on Youtube
David Yates
I'm a hobbyist programmer, part-time sysadmin, and full-time analytics, big data, data center management, automation, and cloud computing architect and delivery engineer.
Updated on September 17, 2022Comments
-
David Yates almost 2 years
First, I presume that if this is possible it would need to be done as root (or as a user who shares root's UID of 0).
How can a process be launched so that it does not show up in a
ps aux
orps ef
ortop
listing if the command is run by non-root?Is this even possible?
The distributions I typically run are RHEL/CentOS and Ubuntu - so if there is a distro-specific answer, that's ok, too.
-
Admin over 13 yearswarren: Ever find a solution to this?
-
Admin over 13 years@Chris - nope... @fianchetto's answer seems to be the only route, and that's a lot more work than I'm comfortable undertaking :-|
-
Admin over 13 yearsI am going to undertake this project and will report back with anything I determine.
-
-
David Yates over 13 yearsmy goal here is for processes spawned by root to not be visible to all users (perhaps security-related daemons or similar)
-
Brōtsyorfuzthrāx over 8 years@flanchetto So, are you saying if I have a program that is already running and it later runs a command-line command with a password in it in the same process that the password will be securely given? e.g. run
python myScript.py
and all thesubprocess.Popen
commands (which may or may not contain passwords) are not shown, as long as it's the same process? -
Brōtsyorfuzthrāx over 8 yearsCan you limit the
hidepid=2
thing so it only affects specific users (or so it whitelists certain users)? -
Brōtsyorfuzthrāx over 8 yearsAnyway, that doesn't work (I just tried it and saw the password). So, I'm assuming you mean something else. Feel free to clarify. :)
-
lepe almost 8 yearsWorks great! My problem was that I'm connecting to a server using a cron script and any user was able to see the credentials using "htop" (for example). Setting to "hidepid=2" users can not see processes launched by other users which is what I was looking for. Why is not set by default?
-
David Yates over 7 yearsThat only hides something in my view
-
Florian Wendelborn over 7 years@lepe probably for legacy reasons. Would break this and that and therefore can't (yet) be used everywhere.
-
phil294 about 7 yearsOP asked for the pid to be invisible in overall, not just to other users ...?
-
Avery235 over 6 yearsIs there a way to hide processes created by certain users only? eg.
root
?