diff options
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/hidepid.nix | 24 | ||||
-rw-r--r-- | nixos/modules/security/hidepid.xml | 33 |
2 files changed, 45 insertions, 12 deletions
diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix index 8f2df380cfe86..ee351eb84473d 100644 --- a/nixos/modules/security/hidepid.nix +++ b/nixos/modules/security/hidepid.nix @@ -2,19 +2,19 @@ with lib; { - options = { - security.hideProcessInformation = mkEnableOption "" // { description = '' - Restrict access to process information to the owning user. Enabling - this option implies, among other things, that command-line arguments - remain private. This option is recommended for most systems, unless - there's a legitimate reason for allowing unprivileged users to inspect - the process information of other users. + meta = { + maintainers = [ maintainers.joachifm ]; + doc = ./hidepid.xml; + }; - Members of the group "proc" are exempt from process information hiding. - To allow a service to run without process information hiding, add "proc" - to its supplementary groups via - <option>systemd.services.<name?>.serviceConfig.SupplementaryGroups</option>. - ''; }; + options = { + security.hideProcessInformation = mkOption { + type = types.bool; + default = false; + description = '' + Restrict process information to the owning user. + ''; + }; }; config = mkIf config.security.hideProcessInformation { diff --git a/nixos/modules/security/hidepid.xml b/nixos/modules/security/hidepid.xml new file mode 100644 index 0000000000000..5715ee7ac165b --- /dev/null +++ b/nixos/modules/security/hidepid.xml @@ -0,0 +1,33 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-hidepid"> + + <title>Hiding process information</title> + + <para> + Setting + <programlisting> + security.hideProcessInformation = true; + </programlisting> + ensures that access to process information is restricted to the + owning user. This implies, among other things, that command-line + arguments remain private. Unless your deployment relies on unprivileged + users being able to inspect the process information of other users, this + option should be safe to enable. + </para> + + <para> + Members of the <literal>proc</literal> group are exempt from process + information hiding. + </para> + + <para> + To allow a service <replaceable>foo</replaceable> to run without process information hiding, set + <programlisting> + systemd.services.<replaceable>foo</replaceable>.serviceConfig.SupplementaryGroups = [ "proc" ]; + </programlisting> + </para> + +</chapter> |