Chapter 5. The proc File System
The Linux kernel has two primary functions: to control access to physical devices on the computer and to schedule when and how processes interact with these devices. The
/proc/ directory — also called the proc file system — contains a hierarchy of special files which represent the current state of the kernel — allowing applications and users to peer into the kernel's view of the system.
Within the
/proc/ directory, one can find a wealth of information detailing the system hardware and any processes currently running. In addition, some of the files within the /proc/ directory tree can be manipulated by users and applications to communicate configuration changes to the kernel.
5.1. A Virtual File System
Under Linux, all data are stored as files. Most users are familiar with the two primary types of files: text and binary. But the
/proc/ directory contains another type of file called a virtual file. It is for this reason that /proc/ is often referred to as a virtual file system.
These virtual files have unique qualities. Most of them are listed as zero bytes in size and yet when one is viewed, it can contain a large amount of information. In addition, most of the time and date settings on virtual files reflect the current time and date, indicative of the fact they are constantly updated.
Virtual files such as
/proc/interrupts, /proc/meminfo, /proc/mounts, and /proc/partitions provide an up-to-the-moment glimpse of the system's hardware. Others, like the /proc/filesystems file and the /proc/sys/ directory provide system configuration information and interfaces.
For organizational purposes, files containing information on a similar topic are grouped into virtual directories and sub-directories. For instance,
/proc/ide/ contains information for all physical IDE devices. Likewise, process directories contain information about each running process on the system.
5.1.1. Viewing Virtual Files
By using the
cat, more, or less commands on files within the /proc/ directory, users can immediately access enormous amounts of information about the system. For example, to display the type of CPU a computer has, type cat /proc/cpuinfo to receive output similar to the following:
processor : 0 vendor_id : AuthenticAMD cpu family : 5 model : 9 model name : AMD-K6(tm) 3D+ Processor stepping : 1 cpu MHz : 400.919 cache size : 256 KB fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 1 wp : yes flags : fpu vme de pse tsc msr mce cx8 pge mmx syscall 3dnow k6_mtrr bogomips : 799.53
When viewing different virtual files in the
/proc/ file system, some of the information is easily understandable while some is not human-readable. This is in part why utilities exist to pull data from virtual files and display it in a useful way. Examples of these utilities include lspci, apm, free, and top.
Note
Some of the virtual files in the
/proc/ directory are readable only by the root user.
5.1.2. Changing Virtual Files
As a general rule, most virtual files within the
/proc/ directory are read-only. However, some can be used to adjust settings in the kernel. This is especially true for files in the /proc/sys/ subdirectory.
To change the value of a virtual file, use the
echo command and a greater than symbol (>) to redirect the new value to the file. For example, to change the hostname on the fly, type:
echo www.example.com > /proc/sys/kernel/hostname
Other files act as binary or Boolean switches. Typing
cat /proc/sys/net/ipv4/ip_forward returns either a 0 or a 1. A 0 indicates that the kernel is not forwarding network packets. Using the echo command to change the value of the ip_forward file to 1 immediately turns packet forwarding on.
Note
Another command used to alter settings in the
/proc/sys/ subdirectory is /sbin/sysctl. For more information on this command, refer to Section 5.4, “Using the sysctl Command”
For a listing of some of the kernel configuration files available in the
/proc/sys/ subdirectory, refer to Section 5.3.9, “ /proc/sys/ ”.
5.1.3. Restricting Access to Process Directories
On multi-user systems, it is often useful to secure the process directories stored in
/proc/ so that they can be viewed only by the root user. You can restrict the access to these directories with the use of the hidepid option.
To change the file system parameters, you can use the
mount command with the -o remount option. As root, type:
mount-o remount,hidepid=value/proc
Here, value passed to
hidepid is one of:
0(default) — every user can read all world-readable files stored in a process directory.1— users can access only their own process directories. This protects the sensitive files likecmdline,sched, orstatusfrom access by non-root users. This setting does not affect the actual file permissions.2— process files are invisible to non-root users. The existence of a process can be learned by other means, but its effective UID and GID is hidden. Hiding these IDs complicates an intruder's task of gathering information about running processes.
Example 5.1. Restricting access to process directories
To make process files accessible only to the
root user, type:
~]#mount-o remount,hidepid=1/proc
With
hidepid=1, a non-root user cannot access the contents of process directories. An attempt to do so fails with the following message:
~]$ls/proc/1/ls: /proc/1/: Operation not permitted
With
hidepid=2 enabled, process directories are made invisible to non-root users:
~]$ls/proc/1/ls: /proc/1/: No such file or directory
Also, you can specify a user group that will have access to process files even when
hidepid is set to 1 or 2. To do this, use the gid option. As root, type:
mount-o remount,hidepid=value,gid=gid/proc
Replace gid with the specific group id. For members of selected group, the process files will act as if
hidepid was set to 0. However, users which are not supposed to monitor the tasks in the whole system should not be added to the group. For more information on managing users and groups see Chapter 37, Users and Groups.
