<chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-hidepid">
 <title>Hiding process information</title>
 <para>
  Setting
<programlisting>
<xref linkend="opt-security.hideProcessInformation"/> = true;
</programlisting>
  ensures that access to process information is restricted to the owning user.
  This implies, among other things, that command-line arguments remain private.
  Unless your deployment relies on unprivileged users being able to inspect the
  process information of other users, this option should be safe to enable.
 </para>
 <para>
  Members of the <literal>proc</literal> group are exempt from process
  information hiding.
 </para>
 <para>
  To allow a service <replaceable>foo</replaceable> to run without process
  information hiding, set
<programlisting>
<link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.<replaceable>foo</replaceable>.serviceConfig</link>.SupplementaryGroups = [ "proc" ];
</programlisting>
 </para>
</chapter>