On Fri, May 04, 2018 at 18:02:09 +0200, Michael Biebl wrote: > I guess you have two options here: > Either drop gid=4 from your mount flags or you add > SupplementaryGroups=adm to systemd-logind.service
I haven't figured out how to override that .service file locally yet, but I'm trying to add SupplementaryGroups=adm. If I just drop 'gid=4' I won't be able to use "pidin aux" myself. > Why adm is a suitable group for that purpose is not clear to me, but > that's besides the point. > https://wiki.archlinux.org/index.php/Security#hidepid suggests to use a > dedicated group like proc which makes more sense to me. Kind of, but that's not a standard Debian group. adm is, and does make sense based on the documentation (also note that johnw independently had the same idea): https://wiki.debian.org/SystemGroups "adm: Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, … staff: Allows users to add local modifications … Compare with group 'adm', which is more related to monitoring/security." > Anyway, this really seems to simply be a local (mis)configuration issue. You're right it's a local problem--though not a reasonably foreseeable, noticeable, or easily debuggable consequence of 'hidepid'. If you were willing to add "SupplementaryGroups=adm" to the shipped file, that would be helpful and I think reasonable based on the stated purpose of 'adm'. I'm having trouble thinking of a "proper" way for systemd to handle it while Debian ships with hidepid disabled. -- Michael
signature.asc
Description: PGP signature
--------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.