Bug#897654: libpam-systemd: "Failed to create session: No such process"

Michael Gold mgold at qnx.com
Thu May 3 22:52:23 BST 2018 

On Thu, May 03, 2018 at 23:25:05 +0200, Michael Biebl wrote:
> Well, logind is running as root, but the the service file is locked down
> considerably:
> 
> CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL
> CAP_CHOWN CAP_KILL CAP_DAC_REA
> MemoryDenyWriteExecute=yes
> RestrictRealtime=yes
> RestrictNamespaces=yes
> RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module
> @obsolete @raw-io @reboot @swap
> SystemCallArchitectures=native
> LockPersonality=yes
> IPAddressDeny=any
> FileDescriptorStoreMax=512
> 
> You will probably have to tweak those settings yourself, if you want to
> continue to use hidepid

Looking at the Linux code, neither uid 0 or gid 0 is actually special-
cased [fs/proc/base.c]:
	static bool has_pid_permissions(struct pid_namespace *pid,
					 struct task_struct *task,
					 int hide_pid_min)
	{
		if (pid->hide_pid < hide_pid_min)
			return true;
		if (in_group_p(pid->pid_gid))
			return true;
		return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
	}

So I guess it's always just looked like root had special access (e.g.,
"ps aux" works fine as uid=gid=0 with no supplementary groups), based on
that ptrace permission which logind probably lacks.

I found the file you're quoting from in /lib/systemd/system/.  What's
the recommended way to do local changes?  Copy to /etc/systemd/system/
and edit?

This failure is really obscure.  Perhaps logind should try to open
/proc/1 when it hits this case, and log an explicit message about
hidepid if it gets ENOENT there.

-- Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180503/76981594/attachment-0002.sig>
-------------- next part --------------
---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180503/76981594/attachment-0002.html>

More information about the Pkg-systemd-maintainers mailing list