T-Gander/ProxmoxVEDHelperScripts
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

fix(hermes-agent): restrict /proc access in systemd services

Browse Source 
Hermes strips sensitive env vars from tool subprocesses, but child
processes can recover them by reading /proc/<parent_pid>/environ. Add
ProtectProc=invisible and ProcSubset=pid to both systemd services to
hide other processes' /proc entries and limit /proc to the service's
own PID namespace.

Ref: https://github.com/NousResearch/hermes-agent/issues/4427
This commit is contained in:
Stephen Chin
2026-05-02 08:09:00 -07:00
parent 16e774083f
commit e0aaacdb96
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
install/hermes-agent-install.sh
View File

@@ -76,6 +76,8 @@ Environment="HERMES_HOME=/home/hermes/.hermes"
Environment="HOME=/home/hermes" Environment="HOME=/home/hermes"
Restart=on-failure Restart=on-failure
RestartSec=5 RestartSec=5
ProtectProc=invisible
ProcSubset=pid
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
@@ -103,6 +105,8 @@ Environment="PATH=/home/hermes/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sb
Environment="NODE_OPTIONS=--max-old-space-size=3072" Environment="NODE_OPTIONS=--max-old-space-size=3072"
Restart=on-failure Restart=on-failure
RestartSec=5 RestartSec=5
ProtectProc=invisible
ProcSubset=pid
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target