Roscoe Skeens - My Blog

Not all Features are Capabilities

Roscoe Skeens - My Blog — Sun, 01 Mar 2026 00:00:00 GMT

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://blog.rskeens.com/blog/not-all-features-are-capabilities/

Web hosting service providers list features but many are not their own solutions.

Web hosts capable of engineering their own platform gain control of their destiny but the level of technical expertise needed to develop such a platform is out of reach for most, which is off the shelf solutions such as cPanel are so common.

A provider's technical competence is a direct correlation to how much of their platform is their own. This extends further than developing an in house solution from scratch, it can even include the inability for basic research to understand and configure already existing open source solutions - many of which are better than commercial options.

Commercial platforms such as cPanel are increasingly expensive to licence. In addition there are secondary commercial solutions such as the LiteSpeed web server and JetBackup. These are foundational components to web servers yet they are outsourced when better open source solutions exist. Web hosts should be at a minimum be able to implement these features in house yet can't because they do not view themselves as tech companies.

It should be a strategic priority for web host providers to replace cPanel. Depending on the fleet size, the licence fees can certainly offset engineering salaries. Gain a "free" engineer along with a more modern and custom platform. It seems an impossible task for these providers because their talent pool is misaligned to that or similar objective.

cPanel is no longer a strong selling point and customers are now used to custom platforms. A more powerful custom platform with reward of no price increases should hopefully become more standard.

How much of your platform is outsourced? Web hosts should be more commonly viewed as tech companies because that is what they are.

SELinux Based Isolation

Roscoe Skeens - My Blog — Sun, 05 Oct 2025 00:00:00 GMT

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://blog.rskeens.com/blog/isolation-using-selinux/

SELinux (Security-Enhanced Linux) is one of the most powerful tools to manage user space access control, although it can be particularly complex to implement. A very steep learning curve causes it to be usually overlooked. The web hosting industry hardly ever uses SELinux, especially when products like cPanel requires it to be disabled.

Traditional access control in the simplest terms, that being users and groups can be referred to as "Discretionary Access Control" (DAC). In contrast, SELinux offers the ability to add a layer of "Mandatory Access Control" (MAC). Even if a process has relevant user and permissions, SELinux can still block unauthorised actions. As an added bonus, all blocked actions are logged. The added observability alone could be reason enough to build around it.

Shown is an example of php-fpm for two sites selinux.rskeens.com and private.rskeens.com. DAC based tightening with open_basedir is effective and almost every web host will leave it at that because it is simple and straight forward. Perhaps even housing each site in a container will be considered in an effort to achieve even stronger isolation.

Since we are using php-fpm, we need a new SELinux domain to initiate per pool, making systemd a great option. Otherwise if those processes were forked, then they would normally all inherit the same SELinux domain.

Once php-fpm is set up with the pool as its own service, we need two categories of config files:

Type Enforcement (.te) = define policy rules against labeled subjects / objects.
File Contexts (.fc) = map filesystem paths to labels.

Let us start with a very basic Type Enforcement file for selinux.rskeens.com:

policy_module(selinux_rskeens_com, 1.0)

require {
  class file { read getattr open map };
  class dir { read getattr search open };
  class sock_file { create write read append getattr unlink };
}

type selinux_rskeens_com_php_t;
type selinux_rskeens_com_php_exec_t;

type selinux_rskeens_com_docroot_t;
files_type(selinux_rskeens_com_docroot_t)

type selinux_rskeens_com_socket_t;
files_pid_file(selinux_rskeens_com_socket_t)

allow selinux_rskeens_com_php_t selinux_rskeens_com_docroot_t:dir { read getattr search open };
allow selinux_rskeens_com_php_t selinux_rskeens_com_docroot_t:file { read getattr open map };

manage_files_pattern(selinux_rskeens_com_php_t, selinux_rskeens_com_socket_t, selinux_rskeens_com_socket_t)
manage_sock_files_pattern(selinux_rskeens_com_php_t, selinux_rskeens_com_socket_t, selinux_rskeens_com_socket_t)
files_pid_filetrans(selinux_rskeens_com_php_t, selinux_rskeens_com_socket_t, { file sock_file })

init_daemon_domain(selinux_rskeens_com_php_t, selinux_rskeens_com_php_exec_t)

The syntax can be intimidating at first but we now have a quite beautiful layout for the service via init_daemon_domain comprising of php type selinux_rskeens_com_php_t with exec selinux_rskeens_com_php_exec_t plus document root selinux_rskeens_com_docroot_t and even socket file selinux_rskeens_com_socket_t. Real world setups would have more complex configurations to adjust mutability per path such as uploads, sessions and logs.

Now that we have selinux_rskeens_com policy, we can move on to the File Contexts file:

/usr/sbin/php-fpm-selinux-rskeens-com -- gen_context(system_u:object_r:selinux_rskeens_com_php_exec_t,s0)
/srv/www/selinux.rskeens.com(/.*)?	     gen_context(system_u:object_r:selinux_rskeens_com_docroot_t,s0)
/run/php-selinux-rskeens-com\.sock       gen_context(system_u:object_r:selinux_rskeens_com_socket_t,s0)

Everything is now ready to compile a Policy Package (.pp) file:

make -f /usr/share/selinux/devel/Makefile selinux_rskeens_com.pp
Compiling targeted selinux_rskeens_com module
Creating targeted selinux_rskeens_com.pp policy package

Even if a Policy Package file successfully compiles, its usability is still not certain until semodule is used. This is admittedly frustrating and can make debugging difficult. Fortunately everything works well for us:

semodule -i selinux_rskeens_com.pp

A final implementation step requires contexts to be restored, this is done using restorecon:

restorecon -Rv /usr/sbin/php-fpm-selinux-rskeens-com \
/srv/www/selinux.rskeens.com

Relabeled /srv/www/selinux.rskeens.com from unconfined_u:object_r:httpd_sys_content_t:s0 to unconfined_u:object_r:selinux_rskeens_com_docroot_t:s0
Relabeled /srv/www/selinux.rskeens.com/index.html from unconfined_u:object_r:httpd_sys_content_t:s0 to unconfined_u:object_r:selinux_rskeens_com_docroot_t:s0
Relabeled /srv/www/selinux.rskeens.com/info.php from unconfined_u:object_r:httpd_sys_content_t:s0 to unconfined_u:object_r:selinux_rskeens_com_docroot_t:s0
Relabeled /srv/www/selinux.rskeens.com/test.php from unconfined_u:object_r:httpd_sys_content_t:s0 to unconfined_u:object_r:selinux_rskeens_com_docroot_t:s0

Service php-fpm-selinux-rskeens-com can then be restarted. Check the setup:

ps -eZ | grep php
system_u:system_r:selinux_rskeens_com_php_t:s0 40639 ? 00:00:00 php-fpm-selinux
system_u:system_r:selinux_rskeens_com_php_t:s0 40640 ? 00:00:00 php-fpm-selinux
system_u:system_r:selinux_rskeens_com_php_t:s0 40641 ? 00:00:00 php-fpm-selinux
system_u:system_r:selinux_rskeens_com_php_t:s0 40642 ? 00:00:00 php-fpm-selinux
system_u:system_r:selinux_rskeens_com_php_t:s0 40643 ? 00:00:00 php-fpm-selinux
system_u:system_r:selinux_rskeens_com_php_t:s0 40644 ? 00:00:00 php-fpm-selinux

Looks good. Now a test can be performed by attempting to read the contents of private file secret of document root private.rskeens.com from selinux.rskeens.com:

type=AVC msg=audit(1759666772.576:14792): avc:  denied  { open } for  pid=40846 comm="php-fpm-selinux" path="/srv/www/private.rskeens.com/secret" dev="sda1" ino=133665 scontext=system_u:system_r:selinux_rskeens_com_php_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1759666772.576:14792): avc:  denied  { read } for  pid=40846 comm="php-fpm-selinux" name="secret" dev="sda1" ino=133665 scontext=system_u:system_r:selinux_rskeens_com_php_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=

At this point extensive testing should first be done with permissive mode remaining active. There will be a lot of tweaks needed but eventually the setup will be working perfectly.

Once ready, switch to enforce mode by editing /etc/selinux/config to set SELINUX=enforcing. Reboot the system and use the command getenforce to be absolutely certain enforcement is live across system restarts.

Work Culture Predicts Innovation

Roscoe Skeens - My Blog — Thu, 24 Jul 2025 00:00:00 GMT

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://blog.rskeens.com/blog/work-culture-predicts-innovation/

It could be thought that the availability of talent proportionately determines the level of innovation accomplished at a workplace but that are other influential modifiers. The most common which comes to mind is office politics but there is an even greater cultural effect.

The simplest categories can be either "Just Culture" or "Blame Culture". Let's briefly describe each:

Just culture is a concept related to systems thinking which emphasizes that mistakes are generally a product of faulty organizational cultures, rather than solely brought about by the person or persons directly involved. In a just culture, after an incident, the question asked is, "what went wrong?" rather than "who caused the problem?".

In a blame culture, problem-solving is replaced by blame avoidance. Blame generates "fear, errors, accidents and passive-aggression" with those feeling powerless and lacking emotional safety. Organisational chaos, such as confused roles and responsibilities, is strongly associated with blame culture.

A seasoned engineering team exhibits open discussion about new developments and areas to leverage them. Any failure, even if significant does not stir panic. A controlled communication with elements of maturity founded from experience forms with focus entirely on the problem.

The individuals with the rarest and most sought after tech talent enjoy systems thinking. Something which should not have happened did and the follow up investigation is enjoyable because it builds a hypothesis which tests their knowledge. Any individual responsible is completely irrelevant because the situation presents an opportunity to add any missing guard rails and generally improve the product.

The most valuable concepts such as experimentation and providing opinions shift from discovery to instead bearing risk.

Businesses which benefit greatly from innovation and technological advancement, especially when developed in house are set up to fail with a blame culture.

Malware Pattern Matching

Roscoe Skeens - My Blog — Wed, 23 Jul 2025 00:00:00 GMT

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://blog.rskeens.com/blog/malware-pattern-matching/

Obfuscated malware code can be challenging to detect, let alone read. The era of generative language models empowers malware authors to increase the level of obfuscation with ease. When confronted with a newly discovered sample, it is the security researcher's responsibility to create a suitable signature so to improve the rate of detection.

Currently the most popular method of PHP malware obfuscation is use of randomly generated comments. A preview of just how aggressive this technique can be shown below:

<?php /*d&m-(H@AnJ#(F5+*/parse_str#U=~LxnADRDY!:3Y@f!`m!"aGcz
(/*A4y4,bzBv}f0.-TKoj(WG}WEr*///|lvjIKl_qyh=l|*/Dib22$rt>"M3BHpZFKo($p
'0'//RV (H# r=I}sR6#?xGf{pI3},8"*,C:V`dV&+k n<T.V
.//hOPD5,EEl>D8pRU22gRx1HC`^Sb.|UWW
'=' #;&AGT9I>6}P.vxwE\?O #
.#R'eaw99\=~&[g[VeJ~iV,K+5!oX<nN^rh8:SUNxGI!W&*2c
'%'/*4Bd2WS$xZfdxSlci''MUIF}t@,cp!)[#/]2R*/./*y;C_B2e!DL%t(=18(JJXL*crn~*/'6' 	//cr+@9aoHZ;3}ow%|R9grk
.#QTOgvGg0Jt4Cw1e>x"]NW
'1'/*Rp\PbMfd\2pV1|Tia;zU )\\Krb5vWf$abp>^1[h*/.  #&8&#8aJ?,"FVa6QN9jt;
'%'/*::x%_|c.9=8O%r:GOf iUR.td*/.#@yd(?allny0mL.xA*<^*'pK>5iwbuS,Lx+bA`
'7'/*gl/vx=)Gnl*'SP*/./*+:6=sY0$NE-}0N*b^5S</KFCDQ0 U9nmG"lr.^*/'2'/*N1\`D "E_$#s29;o=.pOp^>X.7l='vt*/. #ElB3\^V*@sWB/ms%<<HkN`a^
'%'// e] ,zLTRhk7%-4k#SoH=y6p6m
.//;Jv?ZUoG*Ajop"Y
'7'//'}Hc@&'1niOuNbE2lz wf+"Gj;`Rr%bYOP<M
. //Op^xtDgO3#9~k;:ZO*D*_za_-jj"7(gFq
'2'#=M4UG E;TqouT#++h}@0"a*h
.  /*Ni#q~:,%H%mg~z*/'%'//=ATw{[?49C}Q%T+U`\nT}Xa4=tmi
./*utbvA".J3C6f;wSP{~&wbtyo7HHlD>s<5j+<ATQ8qov/?@[*/'6'#0Q,(Iy^%ze}CW5W,S9JwS4!p
;/*i0nDEG4u}$+*/@/*88I>p:f^Ynsgfeo1~A&&VQS~3Xf$(F[m{;^G"*/eval	/*>z-NHKm9.09~byL9k)s/]OM:}Nfd"uZ&N*/(#UWtZC$]1"'36{Fv9:7Z5V=]Xxoq?z

Imagine being a responder to a website which has been affected by this malware, especially if not from a security background. What would the search pattern be for a yara rule or even plain grep? A first take might assume the starting numbers such as '0', '1' or '7' which is a perfectly valid observation. Perhaps the exposed eval?

The true weakness is abundance of /* */ PHP comments. These comments are randomly generated and placed but this otherwise powerful strategy will be used against it.

First, we must ensure the regex is as simple and optimal as possible. In this case $re = /\/\*\S{5,25}\*\// is perfect. It is extraordinarily rare for legitimate PHP comments to not contain whitepaces defined in flowerpot styling, especially groups of them.

The next requirement is to ensure there are at least two such comments per line. This could be achieved using regex alone but that is not as resource efficient as using conditional yara logic operators. Here is the condition:

condition:
  #re > 1 and
  @re[2] - (@re[1] + !re[1]) <= 64

The number of comment occurrences must be at least two, which for this malware is certain. It then compares the distance between the detections with a 64 byte threshold to ensure close proximity. It doesn't guarantee to be on the same line but that is not a strict requirement.

A single clean and concise expression in combination with built in yara conditions results in a powerful rule which can not only detect this specific sample but varients of it with immense accuracy. No other aspects of the malware need consideration. It can even detect entirely entirely different malware as long as the same commonly used obfuscation technique is involved.

There is no need for overly complex rules when the power of yara is fully understood. It is not a regex only finite state machine.

Backup of Last Resort

Roscoe Skeens - My Blog — Wed, 16 Apr 2025 00:00:00 GMT

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://blog.rskeens.com/blog/backup-of-last-resort/

The web hosting industry is increasingly entering an truly unfortunate "profit center" trend. What was once universally standard features have become optional add - on services. Security and backups appear to be most commonly affected. Let's discuss backups.

There is a term used in finance called "lender of last resort" Wikipedia

In public finance, a lender of last resort (LOLR) is the institution in a financial system that acts as the provider of liquidity to a financial institution which finds itself unable to obtain sufficient liquidity in the interbank lending market when other facilities or such sources have been exhausted.

Service providers face worst case risks every day from security breaches to disasters involving natural and unnatural hazards. These risks can be trivialised for lack of comprehension because the specific event is not of great relevance. The outcome is always the same: complete loss of data.

Customers entrust providers to store their data and it should be expected that most will never download a backup. There is a common misconception that backups are entirely the responsibility of customers but this is not fair. An example to illustrate would involve customer data silently becoming corrupt. Assuming the customer was regularly storing their own backups, is it their fault when this leads to catastrophe?

At an absolute minimum, a backup implementation should involve regular restore points delivered offsite. The term "remote" is often used by providers but it does not have the same meaning. All offsite backups are remote but not all remote backups are offsite. Remote backups are typically housed in the same facility but on different hardware, whereas offsite backups are stored in different geography.

Backups of last resort can be held in long term cold storage. These backups are extremely low cost to maintain but especially expensive to retrieve, which is why they should only ever be used in complete worst case scenarios. Any business should be capable to afford this measure with example below there are 10 000 customer accounts of size 10GiB with AWS Glacier Deep Archive:

Total Storage: 91TiB
Archive Average Object Size: 10GiB (single file archives)
Request Count: 10 000

Total Monthly cost: $92.75

Peace of mind for 10 000 customers for approximately 1 cent per month. As shown, it is unbelievably cheap to have a backup of last resort even for established businesses. Try yourself using the AWS Cost Calculator The business also indirectly benefits with improved security compliance, a factor which is usually overlooked.

Of course a last resort restore requires that transferred to standard s3 and retrieval will cost thousands of Dollars. Is that not worth it to avoid so many people losing a part of themselves? Even if the business will cease to exist, those affected still deserve their data.

If you are an engineer reading this and presenting similar solutions, do keep in mind that data might not be regarded sacred by others. I have personally seen discussions with outlined example worst case scenarios immediately dismissed because they seemed an impossibility without understanding the cause is irrelevant but the outcome as always the same. Read the room and accept knowing the suggestion was not wasted because it exposes future expectations. As an engineer, my sympathy is with you.

Consider this a reminder to safely store a backup because your provider might not regard it of importance.

Does cat see all?

Roscoe Skeens - My Blog — Mon, 07 Apr 2025 00:00:00 GMT

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://blog.rskeens.com/blog/does-cat-see-all/

Suspicious files must be examined to determine their content but can cat be entirely trusted? An example of how output can be overwritten by manipulating cursor position using escape codes:

echo -e '#!/bin/sh\necho "malware"\nexit\n\033[A\033[Aecho "nothing to see here"' > script.sh

Without reading further, what output is expected for cat script.sh? Let's check:

cat script.sh 
#!/bin/sh
echo "nothing to see here"

How about more or less? Would those display the entire content?

more script.sh
#!/bin/sh
echo "nothing to see here"

less script.sh
#!/bin/sh
echo "malware"
exit
ESC[AESC[Aecho "nothing to see here"
script.sh (END)"

Trust your intuition regarding suspicious files until proven otherwise, don't only rely on one tool.

The One of a Kind Engineer

Roscoe Skeens - My Blog — Fri, 21 Mar 2025 00:00:00 GMT

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://blog.rskeens.com/blog/the-one-of-a-kind-engineer/

As long as there is no shortage of budget, there is no shortage of incredibly skilled engineers with each offering their own invaluable domain experience. When tasked to build or review a codebase, their results get delivered at a velocity the company has never seen before. For small companies, even faster than their own department.

How do these engineers fare when not delegated tasks? To me, agency and persona are the primary differentiators between an incredible engineer and a one of a kind engineer

The one of a kind engineer is capable of identifying gaps in tech that the business was not even aware of, exclusive of things done wrong. They have the agency to formulate a solution without supervision. Their persona has sufficient confidence to deliver, even if the challenge is formidable. Effort is made to empart knowledge because to them, the subject matter is an enjoyable discussion.

There are often articles written about how "10x" developers don't exist, describing how none have been encountered in their professional career even at prominent tech companies. One reason is because this calibre of engineer does not thrive within common company structures. Company politics and meeting burnout are devastating, compounded by failed comprehension of their ideas and philosophy effectively are to answer for these article conclusions.

The incredible engineer who has both agency and suitable persona is truly immeasurable.

What Makes a Good Project

Roscoe Skeens - My Blog — Thu, 20 Mar 2025 00:00:00 GMT

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://blog.rskeens.com/blog/what-decides-a-project/

Coming from a background mainly involving information technology, there is a regular requirement to choose which solutions to use. This applies for both closed and open source options. Poorly selecting a project to include as part of a tech stack can be disastrous for the long term, regardless if it is initially superior on a technical level.

Usually there are many possible choices with a few that stand out performance and feature wise. Those which are orders of magnitude better both in terms of documentation as well as technical quality can then be shortlisted. The most challenging part is then deciding amongst those which have been shortlisted. There can only be one and the stakes are sky high.

My advice to anyone in this situation is to step back and observe the personalities behind the projects. This is far easier when open source projects are involved:

Determine the tone from main contributors to their community of users. Are they respectful?
Does the main contributor seem excited and overall enthusiastic?
Is the overall community approachable?
Most importantly, what is the perceived level of passion?

A stellar example of this could be the open source web server caddy. Matt Holt as main contributor is clearly passionate about the project but also the users. He can often be found helping tests pass and patiently answering questions no matter the skill level.

While caddy is already an excellent choice as a top performing web server, it reached its status because of Matt's lifelong passion having started it during his time as a student over a decade ago.

A good counter example to this might be WordPress. While Matt Mullenweg does not seem to contribute code, he essentially remains the voice of the project. As of at least last year, an increased public interest has occurred to discuss switching from WordPress to a differing framework. My own blog is no longer based on WordPress.

Choose good projects based on personality that are made with passion and an obvious love for people to simply use their work, even if they are not as cutting edge.

Distance Affects Throughput

Roscoe Skeens - My Blog — Sun, 30 Oct 2016 00:00:00 GMT

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://blog.rskeens.com/blog/distance-affects-throughput/

Offsite backups are important but Round Trip Time should be taken into careful consideration. TCP connections can be severely hampered under certain conditions from what is known as “Bandwidth - Delay Product” and Wikipedia has the following descriptive article:

In data communications, bandwidth-delay product refers to the product of a data link’s capacity (in bits per second) and its round-trip delay time (in seconds). The result, an amount of data measured in bits (or bytes), is equivalent > to the maximum amount of data on the network circuit at any given time, i.e., data that has been transmitted but not yet acknowledged.

To use an extreme example, a tiny 64kB TCP buffer size would constrain a 100MiB/s interface to 2.6MiB/s if there is a consistent 200ms latency whereas a 50ms latency would allow 10.5 MiB/s.

Fortunately modern systems are no longer defaulted with a small TCP buffer size but tweaks were required prior to kernel 2.6. The following system parameters can be explored:

proc.sys.net.core.wmem_max (Maximum send window size) proc.sys.net.core.rmem_max (Maximum receive window size) proc.sys.net.ipv4.tcp_wmem (Reserved memory for TCP send buffer) proc.sys.net.ipv4.tcp_rmem (Reserved memory for TCP receive buffer)

Always be overly cautious when increasing buffers on production servers because it can potentially cause instability. Improvements can be seen immediately for FTP / FTPS over long inflight time but there will still be circumstances where changes won’t seem to show any effect even with the best of configurations in place, such as when SO_SNDBUF and SO_RCVBUF are static for setsockopt().

Sender side autotuning has been present for quite some time but receiver limits are now usually included and this can be verified by reading net.ipv4.tcp_window_scaling and net.ipv4.tcp_moderate_rcvbuf:

sysctl net.ipv4.tcp_window_scaling net.ipv4.tcp_moderate_rcvbuf
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_moderate_rcvbuf = 1

Interestingly SSH2 multiplexes sessions over a TCP connection, which means patches to OpenSSH such as High Performance SSH/SCP are necessary to attain greater transfer rates for the likes of SCP.

Harden procfs using hidepid

Roscoe Skeens - My Blog — Thu, 02 Apr 2015 00:00:00 GMT

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: https://blog.rskeens.com/blog/harden-procfs/

The objective of hidepid is to ensure privacy concerning process information for standard users and its presence can prove beneficial for a multi tenant environment.

Wikipedia’s article related to procfs describes it as follows:

procfs (or the proc filesystem) is a special filesystem in Unix-like operating systems that presents information about processes and other system information in a hierarchical file-like structure, providing a more convenient and standardized method for dynamically accessing process data held in the kernel than traditional tracing methods or direct access to kernel memory.

Linux Kernel version 3.3 initially introduced the hidepid mount option for procfs quite some time ago but its usage isn’t always implemented. CentOS 6.3 and above have since offered full support for its usage. In the past the kernel source fs/proc/base.c needed to manually be patched with the line below to achieve the same capability:

inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;

The following options can be defined for hidepid:

hidepid=0: Disable hidepid. hidepid=1: Users other than root are only capable of realising information regarding their own processes but can still manually inspect /proc to gather references such as Process IDs. hidepid=2: The ideal setting which will ensure privacy of /proc amongst standard users.

One factor to keep in mind is hidepid will not protect actual processes which do exist – it serves to only make process information more private.

Aside from modifying the system’s fstab, hidepid can be activated by remounting /proc as follows:

mount -o remount,hidepid=2 /proc