commit 527b3dc1df24ae6097fc5aa2fc6986a25799cecc

pyrox.dev / nixpkgs

lol

fork atom

hidepid module: detailed description to external doc

Joachim Fasting 9 years ago 527b3dc1 fa787da3

+45 -12

2 changed files

expand all

unified split

nixos

modules

security

hidepid.nix

hidepid.xml

+12 -12

nixos/modules/security/hidepid.nix

··· 2 with lib; 3 4 { 5 - options = { 6 - security.hideProcessInformation = mkEnableOption "" // { description = '' 7 - Restrict access to process information to the owning user. Enabling 8 - this option implies, among other things, that command-line arguments 9 - remain private. This option is recommended for most systems, unless 10 - there's a legitimate reason for allowing unprivileged users to inspect 11 - the process information of other users. 12 13 - Members of the group "proc" are exempt from process information hiding. 14 - To allow a service to run without process information hiding, add "proc" 15 - to its supplementary groups via 16 - <option>systemd.services.<name?>.serviceConfig.SupplementaryGroups</option>. 17 - ''; }; 18 }; 19 20 config = mkIf config.security.hideProcessInformation {

··· 2 with lib; 3 4 { 5 + meta = { 6 + maintainers = [ maintainers.joachifm ]; 7 + doc = ./hidepid.xml; 8 + }; 9 10 + options = { 11 + security.hideProcessInformation = mkOption { 12 + type = types.bool; 13 + default = false; 14 + description = '' 15 + Restrict process information to the owning user. 16 + ''; 17 + }; 18 }; 19 20 config = mkIf config.security.hideProcessInformation {

+33

nixos/modules/security/hidepid.xml

···

··· 1 + <chapter xmlns="http://docbook.org/ns/docbook" 2 + xmlns:xlink="http://www.w3.org/1999/xlink" 3 + xmlns:xi="http://www.w3.org/2001/XInclude" 4 + version="5.0" 5 + xml:id="sec-hidepid"> 6 + 7 + <title>Hiding process information</title> 8 + 9 + <para> 10 + Setting 11 + <programlisting> 12 + security.hideProcessInformation = true; 13 + </programlisting> 14 + ensures that access to process information is restricted to the 15 + owning user. This implies, among other things, that command-line 16 + arguments remain private. Unless your deployment relies on unprivileged 17 + users being able to inspect the process information of other users, this 18 + option should be safe to enable. 19 + </para> 20 + 21 + <para> 22 + Members of the <literal>proc</literal> group are exempt from process 23 + information hiding. 24 + </para> 25 + 26 + <para> 27 + To allow a service <replaceable>foo</replaceable> to run without process information hiding, set 28 + <programlisting> 29 + systemd.services.<replaceable>foo</replaceable>.serviceConfig.SupplementaryGroups = [ "proc" ]; 30 + </programlisting> 31 + </para> 32 + 33 + </chapter>