diff options
author | Graham Christensen <graham@grahamc.com> | 2018-09-29 20:51:11 -0400 |
---|---|---|
committer | Graham Christensen <graham@grahamc.com> | 2018-09-29 20:51:11 -0400 |
commit | 8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549 (patch) | |
tree | 2fd2a5d5e07bc85ea97ae3c0cb13eb563860ad66 /nixos/modules/security/hidepid.xml | |
parent | 9622cd3b38ddbc7faa4cac2a48dbd70bd99570d0 (diff) | |
download | nixlib-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.tar nixlib-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.tar.gz nixlib-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.tar.bz2 nixlib-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.tar.lz nixlib-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.tar.xz nixlib-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.tar.zst nixlib-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.zip |
docs: format
Diffstat (limited to 'nixos/modules/security/hidepid.xml')
-rw-r--r-- | nixos/modules/security/hidepid.xml | 37 |
1 files changed, 16 insertions, 21 deletions
diff --git a/nixos/modules/security/hidepid.xml b/nixos/modules/security/hidepid.xml index d69341eb3cde..5a17cb1da412 100644 --- a/nixos/modules/security/hidepid.xml +++ b/nixos/modules/security/hidepid.xml @@ -3,31 +3,26 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-hidepid"> - - <title>Hiding process information</title> - - <para> - Setting + <title>Hiding process information</title> + <para> + Setting <programlisting> <xref linkend="opt-security.hideProcessInformation"/> = true; </programlisting> - ensures that access to process information is restricted to the - owning user. This implies, among other things, that command-line - arguments remain private. Unless your deployment relies on unprivileged - users being able to inspect the process information of other users, this - option should be safe to enable. - </para> - - <para> - Members of the <literal>proc</literal> group are exempt from process - information hiding. - </para> - - <para> - To allow a service <replaceable>foo</replaceable> to run without process information hiding, set + ensures that access to process information is restricted to the owning user. + This implies, among other things, that command-line arguments remain private. + Unless your deployment relies on unprivileged users being able to inspect the + process information of other users, this option should be safe to enable. + </para> + <para> + Members of the <literal>proc</literal> group are exempt from process + information hiding. + </para> + <para> + To allow a service <replaceable>foo</replaceable> to run without process + information hiding, set <programlisting> <link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.<replaceable>foo</replaceable>.serviceConfig</link>.SupplementaryGroups = [ "proc" ]; </programlisting> - </para> - + </para> </chapter> |