-
-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[241] "No such process" when starting user instance with hidepid=2 and cgroupv2 #12955
Comments
Sorry, but hidepid= is simply not supported on systemd instances. we require the ability to identify remote processes and most of our services run at minimal privileges, and this means this cannot work. Sorry. There has been work on making hidepid= a true mount option (i.e. an option of the mount itself instead of the pidns), but it stalled. If we ever get that we could have a per-service hidepid= which would make things a lot more useful. But anyway, sorry. hidepid= the way it is is not compatible with systemd, and that's not going to change. |
The patch set I was talking of is this: https://lwn.net/Articles/738597/ If you are interested in this, please work with the kernel folks, resurrect the patch set, and try to make it work. |
Thanks for your quick reply ! I understand Systemd requires to see all PIDs on the system and it's fine. Maybe there could be a way to start the systemd user instance with CAP_SET_GID and instruct it to drop the additional group (4 in my case) either when it no longer needs it (if this time exists), either before exec-ing a non-systemd binary. Would it make sense ? |
It's not just systemd, it's a lot of other stuff we require. Polkit/dbus for example and so on... I think the clean fix would be to fix the kernel to make hidepid not a system-wide setting, see above. Instead of patching around in systemd, just fix this properly by patching around in the kernel. |
I was able to hack something which works in my use case with:
diff --git a/fs/proc/base.c b/fs/proc/base.c
index ae6d4aa65c8f..11163b7bbe4d 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -675,11 +675,14 @@ int proc_setattr(struct dentry *dentry, struct iattr *attr)
/*
* May current process learn task's sched/cmdline info (for hide_pid_min=1)
* or euid/egid (for hide_pid_min=2)?
+ * jean-tiare: Hack for systemd user instance: Always allow PID 1.
*/
static bool has_pid_permissions(struct pid_namespace *pid,
struct task_struct *task,
int hide_pid_min)
{
+ if (task->pid == 1)
+ return true;
if (pid->hide_pid < hide_pid_min)
return true;
if (in_group_p(pid->pid_gid))
# Grant full access to all PIDs to systemd-logind
[Service]
SupplementaryGroups=4 With both patches, the full test suite passes on my side. Systemd user instances are working fine and the started process have only access there own PIDs and PID 1. This may be missing a lot of (corner ?) cases but this suggests that 'hidepid' support in systemd is not very far and might not require a rework in /proc. Not sure if proposing a new mount flag like "showpid1" for procfs would be acceptable on the kernel side though. |
fix broken privoxy config fix gsimplecal locale install gantsign.keyboard from galaxy, remove submodule disable hidepid=2 as it breaks systemd user units systemd/systemd#12955 rename decent_keyring to remote_keyring remove empty logrotate role remove tempdirs after using update README
I fixed it on Linux 5.10 without patching the kernel, only by creating a special group
Then, to allow systemd-logind to access all processes, add a drop-in config for [Service]
SupplementaryGroups=proc After restarting the computer (or restarting systemd-logind), everything worked fine like before enabling |
@Zocker1999NET Thanks for that workaround, could you elaborate a bit on how you did the permissions for the
Cheers |
@4oo4 I just discovered that I also added the supplementary group to the To clarify what I did exactly: I only created the group itself, changed/added the proc mount line and added the supplement group to both services. I never touched a group/user called groupadd --system proc # --system primarily influences the range for choosing a GID, this might be however important, idk
echo "proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0" >> /etc/fstab # assuming proc mount line is missing from fstab
for d in /etc/systemd/system/{systemd-logind,user@}.service.d; do
mkdir -p "$d"
cat > "$d"/proc_hidepid_whitelist.conf <<EOF
[Service]
SupplementaryGroups=proc
EOF
done |
Note that recent kernels allow per-namespace hidepid, and we expose this through ProctectProc= and turned it on for all our long-running services. This is a much nicer solution since turning this on is opt-in per-service and making use of it can be done generically for all systems instead of just doing local hacks. And turning this on per-service won't negatively impact the rest of the system. |
@Zocker1999NET Even though we're using different desktop environments, that sounds extremely similar to my issue. I couldn't properly start a wayland desktop session because of issues with dbus and the Debian-gdm service not starting properly, so it would instead start a partially-working X11 session. @poettering Good to know, so that means that the patch set you were referring to finally got merged? Thanks |
Yes. |
This is not a complete solution. Users may run one-off commands that contain credentials in the command line or environment, which would be left unprotected. |
@poettering I'm unsure whether
|
@poettering How does having this as a service option help? To avoid users seeing each other's processes, I have to set The only real workaround I've found so far is disabling the unified cgroup hierarchy by setting the boot option
|
Actually, as far as I understand, credential exposure might happen under the hood in a normal desktop (no command-line) usage:
|
There is no real consensus or official solution as of yet on this issue ? Just asking as I just hit the issue recently |
@Zocker1999NET I believe I ran all your workaround steps and added my user to the proc group, but I haven't been able to solve the issue, I should perhaps give a try to |
Actually a reboot fixed it, it seems, but reloading systemd-logind and logging in back again, thanks for the workaround @Zocker1999NET and sorry for the ping. |
Sorry to wake up an old issue, but I'd like to provide new information. I encountered an issue where Wayland and GNOME Shell boot into a black screen when procfs is mounted with I ran Instead, I tried the following command:
After rebooting, Wayland and GNOME Shell successfully started. I'm not familiar with Please let me know if you have any concerns about using this method. |
systemd version the issue has been seen with
Used distribution
Expected behaviour you didn't see
Unexpected behaviour you saw
Steps to reproduce the problem
We are using the "unified" hierarchy, not sure whether it makes any difference
Workaround
This can be worked-around by adding
SupplementaryGroups=4
to(Original hint from https://github.com/pld-linux/systemd/blob/master/proc-hidepid.patch)
But, in this case, all user processes created by systemd user instance have the supplementary group 4, which reduces the usefulness of the 'hidepid=2' feature. It does not however affect sessions opened via SSH so that there is still some benefit :)
Is there any way to avoid propagating the supplementary group to the child processes or, is there a way to avoid needing the patch at least on the user@.service (which I believe, would 'fix' the 'leak') ? I'd naively imagine that the user instance could query the system instance for the info it needs :)
Thanks,
The text was updated successfully, but these errors were encountered: