nixos/modules/security/hidepid.xml at 17.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / security / hidepid.xml

at 17.09-beta 1.1 kB view raw

 1<chapter xmlns="http://docbook.org/ns/docbook"
 2         xmlns:xlink="http://www.w3.org/1999/xlink"
 3         xmlns:xi="http://www.w3.org/2001/XInclude"
 4         version="5.0"
 5         xml:id="sec-hidepid">
 6
 7  <title>Hiding process information</title>
 8
 9  <para>
10    Setting
11    <programlisting>
12      security.hideProcessInformation = true;
13    </programlisting>
14    ensures that access to process information is restricted to the
15    owning user.  This implies, among other things, that command-line
16    arguments remain private.  Unless your deployment relies on unprivileged
17    users being able to inspect the process information of other users, this
18    option should be safe to enable.
19  </para>
20
21  <para>
22    Members of the <literal>proc</literal> group are exempt from process
23    information hiding.
24  </para>
25
26  <para>
27    To allow a service <replaceable>foo</replaceable> to run without process information hiding, set
28    <programlisting>
29      systemd.services.<replaceable>foo</replaceable>.serviceConfig.SupplementaryGroups = [ "proc" ];
30    </programlisting>
31  </para>
32
33</chapter>