Merge pull request #1266 from Lupul/fix-2020-10-09

SecImprove: limit unpriv user to see only their own processes

install/hst-install-debian.sh

@@ -929,6 +929,10 @@ if [ ! "$release" -eq 10 ]; then
     chmod 755 /usr/bin/rssh
 fi
 
+# Restrict access to /proc fs
+# - Prevent unpriv users from seeing each other running processes
+mount -o remount,defaults,hidepid=2 /proc
+echo "@reboot root sleep 5 && mount -o remount,defaults,hidepid=2 /proc" > /etc/cron.d/hestia-proc
 
 #----------------------------------------------------------#
 #                     Configure Hestia                     #

install/hst-install-ubuntu.sh

@@ -973,6 +973,11 @@ if [ ! -e "/sbin/iptables-restore" ]; then
     fi
 fi
 
+# Restrict access to /proc fs
+# - Prevent unpriv users from seeing each other running processes
+mount -o remount,defaults,hidepid=2 /proc
+echo "@reboot root sleep 5 && mount -o remount,defaults,hidepid=2 /proc" > /etc/cron.d/hestia-proc
+
 
 #----------------------------------------------------------#
 #                     Configure Hestia                     #

install/upgrade/versions/1.3.0.sh

@@ -60,4 +60,11 @@ fi
  
 # Set var LOGIN_STYLE hestia.conf
  echo "[ * ] Set var LOGIN_STYLE hestia.conf"
- $BIN/v-change-sys-config-value "LOGIN_STYLE" "default" 
+ $BIN/v-change-sys-config-value "LOGIN_STYLE" "default"
+
+# Restrict access to /proc fs
+if [ ! -e "/etc/cron.d/hestia-proc" ]; then
+    echo "[ * ] Restrict access to /proc fs"
+    echo "@reboot root sleep 5 && mount -o remount,defaults,hidepid=2 /proc" > /etc/cron.d/hestia-proc
+    mount -o remount,defaults,hidepid=2 /proc
+fi