Bug 1130796 - "hidepid" procfs option breaks mounting of thumbdrives
Summary: "hidepid" procfs option breaks mounting of thumbdrives
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-17 21:04 UTC by Tomasz Torcz
Modified: 2015-06-30 14:40 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-18 22:36:57 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1043134 None CLOSED Can't suspend when /proc is mounted with hidepid=2 2018-10-09 08:14:01 UTC

Description Tomasz Torcz 2014-08-17 21:04:41 UTC
Description of problem:
When /proc is mounted with non-zero "hidepid=" option, local user authorisation fails. It breaks, among other things, mounting of USB thumbdrives. Also broken: powering off from GUIs and initiating suspend as user (see #1043134).

By strace'ing polkitd, I found that the following syscall fails:

open("/proc/1/cgroup", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted)

In system logs:
gnome-session[2285]: Gjs-Message: JS LOG: Unable to mount volume USB DISK: Gio.IOErrorEnum: Not authorized to perform operation


Version-Release number of selected component (if applicable):
polkit-0.112-2.fc20.x86_64

How reproducible:
Always

Steps to Reproduce:
1. mount /proc -o remount,hidepid=1
2. stick USB thumbdrive in USB port


Actual results:
USB thumbdrive won't mount.

Expected results:
USB should mount

Comment 1 Miloslav Trmač 2014-08-18 14:23:20 UTC
Thanks for your report.

Well, yes; polkit needs to read the UID of other processes from /proc when given only the PID of a process as a subject, and polkit runs as a non-root process.  hidepid is explicitly designed to prevent polkit from getting the data, i.e. to break these parts of polkit.

Those parts of polkit are deprecated due to inherent raciness, so it _might_ be possible to run polkit with hidepid in some setups, but we are not breaking that ABI; hence, without more detailed analysis, it seems that hidepid is incompatible with general use of polkit.

The very first issue you are stumbling upon is not directly in polkit, though—it seems to be from systemd’s cg_pid_get_path() (via sd_pid_get_session()), so reassigning there.

Comment 2 Lennart Poettering 2014-08-18 22:36:57 UTC
Sorry, but we simply don't support hidepid= as it is implemented right now in the kernel. We need to be able to get meta data out of /proc for clients. journald needs that, polkit, does, our apis do that, there's probably a lot more.

hidepid= is a bit naive there.

I'd actually like to support it better, but if we do that I figure we need some kernel changes first. instead of being a kernel-wide setting it should be a per-mount point setting, so that we can turn it on for some services, and turn it off for others, simply by passing different settings to the procfs in their respective mount namespaces.

Anyway, the way it stands now, we cannot support this. Sorry.

Comment 3 dpecka 2015-06-27 13:52:42 UTC
(In reply to Lennart Poettering from comment #2)
> Sorry, but we simply don't support hidepid= as it is implemented right now
> in the kernel. We need to be able to get meta data out of /proc for clients.
> journald needs that, polkit, does, our apis do that, there's probably a lot
> more.
> 
> hidepid= is a bit naive there.
> 
> I'd actually like to support it better, but if we do that I figure we need
> some kernel changes first. instead of being a kernel-wide setting it should
> be a per-mount point setting, so that we can turn it on for some services,
> and turn it off for others, simply by passing different settings to the
> procfs in their respective mount namespaces.
> 
> Anyway, the way it stands now, we cannot support this. Sorry.

hello,

my big apologize, but did you lennart read the manual ? Read please /usr/src/linux/Documentation/filesystems/proc.txt ..

if you do hidepid=2,gid=10 (eg wheel in my case) it works perfectly like stated in manual and the members of specified group have full lookup rights for entire /proc like without hidepid=X ..

regards, d

groupadd -g 995 proc
useradd -g 995 -m -d /var/tmp/proclurker.home proclurker
mount -o remount,hidepid=2,gid=995 proc
su - proclurker
$ ps faux

Comment 4 Tomasz Torcz 2015-06-29 13:44:40 UTC
I've tested it for a few days with "hidepid=2,gid=457" (because % getent group polkitd
polkitd:x:457:
)

It seem to work. Thumdrives are mounted, and active session user is allowed to shutdown and suspend the macine.

Comment 5 dpecka 2015-06-29 14:14:57 UTC
Nice,

so actually it is only LP who thinks that it ain't possible ..

thanks Tomasz for your comment and approving my findings ..

regards, daniel

Comment 6 Michal Sekletar 2015-06-30 12:28:56 UTC
(In reply to dpecka from comment #3)

> if you do hidepid=2,gid=10 (eg wheel in my case) it works perfectly like
> stated in manual and the members of specified group have full lookup rights
> for entire /proc like without hidepid=X ..

So what, *single* group has "normal" view of /proc. This fact is completely orthogonal to what Lennart said. wheel group is not standard or anything, afaik, Debian derived distros doesn't provide it by default.

Comment 7 Tomasz Torcz 2015-06-30 13:45:01 UTC
My bugreport was about polkit auth failing with hidepid. gid= settings allows polkit to work, thus rendering this bugreport moot.
Lennart talked about wider problems: with journald and other APIs.
So while gid= fixes *this* particular issue, it does nothing to help general brokeness of hidepid.

Comment 8 dpecka 2015-06-30 13:59:07 UTC
I don't see anything I'd call `general brokeness of hidepid' ... it's absolutely legit to want it and if systemd can't cope with that (along with a gid= option) it's the fault of the systemd ...

And moreover, it's systemd what needs adjusting to deal with that when/if he can't do it, not kernel - completely and absolutely .. Ofc, you can create some matagroup (not only polkitd) and assign more system accounts to this group - that I believe should solve it ..

regards, daniel

Comment 9 Michal Sekletar 2015-06-30 14:40:28 UTC
(In reply to dpecka from comment #8)

> And moreover, it's systemd what needs adjusting to deal with that when/if he
> can't do it, not kernel - completely and absolutely 

Try to mount /proc twice in two different locations and change gid= option for one mount. It will also change it for the other mount point. I think this is "general brokenness". It is global, not per mount point.

> Ofc, you can create
> some matagroup (not only polkitd) and assign more system accounts to this
> group - that I believe should solve it ..

That is just an ugly hack!


Note You need to log in before you can comment on or make changes to this bug.