Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When /proc is mounted with hidepid=2, it doesn't work #161

Closed
hakavlad opened this issue Feb 27, 2020 · 13 comments
Closed

When /proc is mounted with hidepid=2, it doesn't work #161

hakavlad opened this issue Feb 27, 2020 · 13 comments

Comments

@hakavlad
Copy link
Contributor

earlyoom.service: drop root privileges
Run as a random unprivilege user instead of as root,
but add the capabilities CAP_KILL CAP_IPC_LOCK.
f2b45e6

When /proc is mounted with hidepid=2, it doesn't work. The Earlyoom service can only see its own pid.
@rfjakob
Copy link
Owner

rfjakob commented Feb 27, 2020

Hi, what is hidepid?

@hakavlad
Copy link
Contributor Author

hakavlad commented Feb 27, 2020
edited
Loading 

proc /proc proc defaults,hidepid=2,gid=admin 0 0

Add this in /etc/fstab, and processes will can see proc directories of only the same users.

See https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/

https://www.linux-dev.org/2012/09/hide-process-information-for-other-users/

@hakavlad
Copy link
Contributor Author

How to test:

# mount -o remount,hidepid=2 /proc

@rfjakob
Copy link
Owner

rfjakob commented Feb 28, 2020

I think this is a similar situation as "/proc is not mounted". We can't do anything about it.

@grapeli
Copy link

grapeli commented Feb 28, 2020

No, it's not the same situation.
The solution is really simple.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/filesystems/proc.txt#n2045

gid= defines a group authorized to learn processes information otherwise prohibited by hidepid=.

[Service]
SupplementaryGroups=proc

@rfjakob
Copy link
Owner

rfjakob commented Feb 28, 2020

Is there a distribution that uses hidepid ?

@grapeli
Copy link

grapeli commented Feb 28, 2020

https://wiki.archlinux.org/index.php/Security#hidepid
Default? I do not know. I use under Archlinux. In the olden days I used 2.6 with grscecurity.

@hakavlad
Copy link
Contributor Author

hakavlad commented Feb 29, 2020
edited
Loading

SupplementaryGroups= does not work with dynamic groups systemd/systemd#8219. So, this may not work.

@hakavlad
Copy link
Contributor Author

I set SupplementaryGroups=proc and got the output in the journal (with systemd 232 on Debian 9):

фев 29 11:47:52 PC systemd[1]: Started Early OOM Daemon.
фев 29 11:47:52 PC systemd[843]: earlyoom.service: Failed at step GROUP spawning /usr/local/bin/earlyoom: No such process
фев 29 11:47:53 PC systemd[1]: earlyoom.service: Main process exited, code=exited, status=216/GROUP
фев 29 11:47:53 PC systemd[1]: earlyoom.service: Unit entered failed state.
фев 29 11:47:53 PC systemd[1]: earlyoom.service: Failed with result 'exit-code'.

@hakavlad
Copy link
Contributor Author 

фев 29 11:47:52 PC systemd[843]: earlyoom.service: Failed at step GROUP spawning /usr/local/bin/earlyoom: No such process

-- this happens when supplementary group does not exist.

@hakavlad
Copy link
Contributor Author

Mount proc with hidepid=2,gid=adm and set SupplementaryGroups=adm in the unit, and it works well with systemd 232.

@grapeli
Copy link

grapeli commented Feb 29, 2020

It also works for me (SupplementaryGroups)

This is a distribution level solution. Just mention it explicitly in README.

@rfjakob
Copy link
Owner

rfjakob commented Feb 29, 2020

Added to the wiki as https://github.com/rfjakob/earlyoom/wiki/proc-hidepid , thanks

@rfjakob rfjakob closed this as completed Feb 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rfjakob @grapeli @hakavlad