List running processes without procfs

Question

I'd like to list running process (like using ps or top), but there is no procfs mounted.

The procfs not being mounted is intentional, and is made to prevent malicious user to access systems informations.

Is there a way I could still list running process, or is that plain impossible ?

I'm running Linux 3.16.

The answer is OS-specific. What operating system are you asking about? Please edit your question (add an appropriate tag, at least). — Celada, Mar 25 '15 at 09:31

score 4 · Answer 1 · edited Apr 13 '17 at 12:36

4

Not mounting procfs sounds like a mistake. It doesn't really improve security, and Linux is designed to have /proc mounted. In particular, as you've found, /proc is how you find information about processes (on Linux, ps is just a pretty-printer for information found under /proc).

If you have a good reason to prevent some applications from accessing /proc, run them in a container or a namespace. Do mount /proc at the root, and leave it out of the namespace.

edited Apr 13 '17 at 12:36

Community

1

answered Mar 26 '15 at 00:08

Gilles 'SO- stop being evil'

829,060

1

What is the real purpose of mounting /proc, if I don't require it ? – blue112 Mar 26 '15 at 08:25
3

@blue112 You want to run ps, so you do require it. – Gilles 'SO- stop being evil' Mar 26 '15 at 08:33
2

My original question was : Is there a way to list processes without /proc mounted, not How to run ps ? – blue112 Mar 26 '15 at 08:35
@blue112 Same difference, as I explain in my answer. – Gilles 'SO- stop being evil' Mar 26 '15 at 08:37

score 2 · Accepted Answer · answered Mar 25 '15 at 10:00

2

ps gets all his information from the mounted procfs, so without procfs there is no source to gain that information. The only option I see is to mount proc for the call of ps/top and then unmount it, that minimized the risk.

answered Mar 25 '15 at 10:00

chaos

48,171

Ok, so it's not possible using a ps. But, could I do it with a syscall, for instance ? – blue112 Mar 25 '15 at 10:05
The systemcalls ps or top use are simple read and open syscalls against the /proc/PID/* files. So there are no other systemcalls you could use. – chaos Mar 25 '15 at 10:12
If the application is able to mount /proc then there's no security to gain by not leaving it mounted all the time. Not that leaving it mounted all the time is risky, but mounting it on demand adds additional complexity and provides zero benefit — and adding complexity is never good for security. @blue112 – Gilles 'SO- stop being evil' Mar 26 '15 at 00:09

score 2 · Answer 3 · answered Sep 15 '22 at 16:12

The procfs not being mounted is intentional, and is made to prevent malicious user to access systems informations.

Not having procfs mounted is not the only possible way to achieve that.

You can mount procfs with hidepid=2 option to make unprivileged user see their own processes only, which hides a lot of information about the system. See proc(5) for details about this function.

To limit access to procfs further (as it contains information not about processes only, but also files like cpuinfo, modules etc, and hidepid doesn't hide these parts), you can specify restricted mode for a mountpoint, like 0711 or even 0700. Given that /proc owner is root, only root would be allowed to access procfs in the latter case. This means that you can use ps, top, htop etc, inspect /proc/mdstat for example but only when you logged in as root, and other users can't - they would face "permission denied" error when trying to access /proc.

Also I don't recommend leaving your system without procfs at all, as a lot of programs rely on it being mounted (not only ps).

This does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review — G-Man Says 'Reinstate Monica', Sep 16 '22 at 03:23

List running processes without procfs

3 Answers3

Linked