Description of problem: When /proc is mounted with non-zero "hidepid=" option, local user authorisation fails. It breaks, among other things, mounting of USB thumbdrives. Also broken: powering off from GUIs and initiating suspend as user (see #1043134). By strace'ing polkitd, I found that the following syscall fails: open("/proc/1/cgroup", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted) In system logs: gnome-session[2285]: Gjs-Message: JS LOG: Unable to mount volume USB DISK: Gio.IOErrorEnum: Not authorized to perform operation Version-Release number of selected component (if applicable): polkit-0.112-2.fc20.x86_64 How reproducible: Always Steps to Reproduce: 1. mount /proc -o remount,hidepid=1 2. stick USB thumbdrive in USB port Actual results: USB thumbdrive won't mount. Expected results: USB should mount
Thanks for your report. Well, yes; polkit needs to read the UID of other processes from /proc when given only the PID of a process as a subject, and polkit runs as a non-root process. hidepid is explicitly designed to prevent polkit from getting the data, i.e. to break these parts of polkit. Those parts of polkit are deprecated due to inherent raciness, so it _might_ be possible to run polkit with hidepid in some setups, but we are not breaking that ABI; hence, without more detailed analysis, it seems that hidepid is incompatible with general use of polkit. The very first issue you are stumbling upon is not directly in polkit, though—it seems to be from systemd’s cg_pid_get_path() (via sd_pid_get_session()), so reassigning there.
Sorry, but we simply don't support hidepid= as it is implemented right now in the kernel. We need to be able to get meta data out of /proc for clients. journald needs that, polkit, does, our apis do that, there's probably a lot more. hidepid= is a bit naive there. I'd actually like to support it better, but if we do that I figure we need some kernel changes first. instead of being a kernel-wide setting it should be a per-mount point setting, so that we can turn it on for some services, and turn it off for others, simply by passing different settings to the procfs in their respective mount namespaces. Anyway, the way it stands now, we cannot support this. Sorry.
(In reply to Lennart Poettering from comment #2) > Sorry, but we simply don't support hidepid= as it is implemented right now > in the kernel. We need to be able to get meta data out of /proc for clients. > journald needs that, polkit, does, our apis do that, there's probably a lot > more. > > hidepid= is a bit naive there. > > I'd actually like to support it better, but if we do that I figure we need > some kernel changes first. instead of being a kernel-wide setting it should > be a per-mount point setting, so that we can turn it on for some services, > and turn it off for others, simply by passing different settings to the > procfs in their respective mount namespaces. > > Anyway, the way it stands now, we cannot support this. Sorry. hello, my big apologize, but did you lennart read the manual ? Read please /usr/src/linux/Documentation/filesystems/proc.txt .. if you do hidepid=2,gid=10 (eg wheel in my case) it works perfectly like stated in manual and the members of specified group have full lookup rights for entire /proc like without hidepid=X .. regards, d groupadd -g 995 proc useradd -g 995 -m -d /var/tmp/proclurker.home proclurker mount -o remount,hidepid=2,gid=995 proc su - proclurker $ ps faux
I've tested it for a few days with "hidepid=2,gid=457" (because % getent group polkitd polkitd:x:457: ) It seem to work. Thumdrives are mounted, and active session user is allowed to shutdown and suspend the macine.
Nice, so actually it is only LP who thinks that it ain't possible .. thanks Tomasz for your comment and approving my findings .. regards, daniel
(In reply to dpecka from comment #3) > if you do hidepid=2,gid=10 (eg wheel in my case) it works perfectly like > stated in manual and the members of specified group have full lookup rights > for entire /proc like without hidepid=X .. So what, *single* group has "normal" view of /proc. This fact is completely orthogonal to what Lennart said. wheel group is not standard or anything, afaik, Debian derived distros doesn't provide it by default.
My bugreport was about polkit auth failing with hidepid. gid= settings allows polkit to work, thus rendering this bugreport moot. Lennart talked about wider problems: with journald and other APIs. So while gid= fixes *this* particular issue, it does nothing to help general brokeness of hidepid.
I don't see anything I'd call `general brokeness of hidepid' ... it's absolutely legit to want it and if systemd can't cope with that (along with a gid= option) it's the fault of the systemd ... And moreover, it's systemd what needs adjusting to deal with that when/if he can't do it, not kernel - completely and absolutely .. Ofc, you can create some matagroup (not only polkitd) and assign more system accounts to this group - that I believe should solve it .. regards, daniel
(In reply to dpecka from comment #8) > And moreover, it's systemd what needs adjusting to deal with that when/if he > can't do it, not kernel - completely and absolutely Try to mount /proc twice in two different locations and change gid= option for one mount. It will also change it for the other mount point. I think this is "general brokenness". It is global, not per mount point. > Ofc, you can create > some matagroup (not only polkitd) and assign more system accounts to this > group - that I believe should solve it .. That is just an ugly hack!