hidepid - hide PIDs owned by other users

hidepid is a security feature.

Settings at time of writing:

  • hidepid=0
  • hidepid=1
  • hidepid=2
  • hidepid=3 - doesn’t seem to exist
  • hidepid=4

But there are many issues with it:

Was discussed and attempted in the past:

But never had its own forum thread.

The main issue I remember we had was that pkexec isn’t compatible with hidepid, which broke multiple applications.

pkexec however seems to be the only framework that supports showing a graphical password prompt to escalate parts of a GUI application with administrative (“root”) rights under native Wayland.

Running GUI applications as root, commands such as (lx)sudo gui-application is no longer possible under wayland. (If that works, that is only Xwayland, not native wayland and to be avoided.)

hidepid=2,gid=polkitd unfortunately insufficient.

Quote https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040

Confirmed, giving access to /proc to polkitd user (running polkitd) is not enough, the authentication agent seems to requires that as well (and granting my user access to /proc denies the interest of hidepid).

Hm, I guess this means you’d have to add your user to that group as well (or rather any user who wants to use polkit). Which sort of defeats the purpose of hidepid=2 to some extent.