proc - process information, system information, and sysctl
pseudo-filesystem
The proc filesystem is a pseudo-filesystem which provides
an interface to kernel data structures. It is commonly mounted at
/proc. Typically, it is mounted automatically by the system, but it
can also be mounted manually using a command such as:
mount -t proc proc /proc
Most of the files in the proc filesystem are read-only, but
some files are writable, allowing kernel variables to be changed.
The proc filesystem supports the following mount
options:
- hidepid=n
(since Linux 3.3)
- This option controls who can access the information in /proc/pid
directories. The argument, n, is one of the following values:
- 0
- Everybody may access all /proc/pid directories. This is the
traditional behavior, and the default if this mount option is not
specified.
- 1
- Users may not access files and subdirectories inside any /proc/pid
directories but their own (the /proc/pid directories themselves
remain visible). Sensitive files such as /proc/pid/cmdline
and /proc/pid/status are now protected against other users.
This makes it impossible to learn whether any user is running a specific
program (so long as the program doesn't otherwise reveal itself by its
behavior).
- 2
- As for mode 1, but in addition the /proc/pid directories belonging
to other users become invisible. This means that /proc/pid entries
can no longer be used to discover the PIDs on the system. This doesn't
hide the fact that a process with a specific PID value exists (it can be
learned by other means, for example, by "kill -0 $PID"), but it
hides a process's UID and GID, which could otherwise be learned by
employing stat(2) on a /proc/pid directory. This greatly
complicates an attacker's task of gathering information about running
processes (e.g., discovering whether some daemon is running with elevated
privileges, whether another user is running some sensitive program,
whether other users are running any program at all, and so on).
- gid=gid (since
Linux 3.3)
- Specifies the ID of a group whose members are authorized to learn process
information otherwise prohibited by hidepid (i.e., users in this
group behave as though /proc was mounted with hidepid=0).
This group should be used instead of approaches such as putting nonroot
users into the sudoers(5) file.
Underneath /proc, there are the following general groups of
files and subdirectories:
- /proc/pid subdirectories
- Each one of these subdirectories contains files and subdirectories
exposing information about the process with the corresponding process
ID.
- Underneath each of the /proc/pid directories, a task
subdirectory contains subdirectories of the form task/tid, which
contain corresponding information about each of the threads in the
process, where tid is the kernel thread ID of the thread.
- The /proc/pid subdirectories are visible when iterating through
/proc with getdents(2) (and thus are visible when one uses
ls(1) to view the contents of /proc).
- /proc/tid subdirectories
- Each one of these subdirectories contains files and subdirectories
exposing information about the thread with the corresponding thread ID.
The contents of these directories are the same as the corresponding
/proc/pid/task/tid directories.
- The /proc/tid subdirectories are not visible when iterating
through /proc with getdents(2) (and thus are not
visible when one uses ls(1) to view the contents of
/proc).
- /proc/self
- When a process accesses this magic symbolic link, it resolves to the
process's own /proc/pid directory.
- /proc/thread-self
- When a thread accesses this magic symbolic link, it resolves to the
process's own /proc/self/task/tid directory.
- /proc/[a-z]*
- Various other files and subdirectories under /proc expose
system-wide information.
All of the above are described in more detail below.
Many files contain strings (e.g., the environment and command
line) that are in the internal format, with subfields terminated by null
bytes ('\0'). When inspecting such files, you may find that the results are
more readable if you use a command of the following form to display
them:
$ cat file | tr '\000' '\n'
cat(1), dmesg(1), find(1), free(1),
htop(1), init(1), ps(1), pstree(1),
tr(1), uptime(1), chroot(2), mmap(2),
readlink(2), syslog(2), slabinfo(5), sysfs(5),
hier(7), namespaces(7), time(7), arp(8),
hdparm(8), ifconfig(8), lsmod(8), lspci(8),
mount(8), netstat(8), procinfo(8), route(8),
sysctl(8)
The Linux kernel source files:
Documentation/filesystems/proc.rst,
Documentation/admin-guide/sysctl/fs.rst,
Documentation/admin-guide/sysctl/kernel.rst,
Documentation/admin-guide/sysctl/net.rst, and
Documentation/admin-guide/sysctl/vm.rst.