Bug#897654: libpam-systemd: "Failed to create session: No such process"
Michael Gold
mgold at qnx.com
Fri May 4 17:24:22 BST 2018
On Fri, May 04, 2018 at 18:02:09 +0200, Michael Biebl wrote:
> I guess you have two options here:
> Either drop gid=4 from your mount flags or you add
> SupplementaryGroups=adm to systemd-logind.service
I haven't figured out how to override that .service file locally yet,
but I'm trying to add SupplementaryGroups=adm.
If I just drop 'gid=4' I won't be able to use "pidin aux" myself.
> Why adm is a suitable group for that purpose is not clear to me, but
> that's besides the point.
> https://wiki.archlinux.org/index.php/Security#hidepid suggests to use a
> dedicated group like proc which makes more sense to me.
Kind of, but that's not a standard Debian group. adm is, and does make
sense based on the documentation (also note that johnw independently had
the same idea):
https://wiki.debian.org/SystemGroups
"adm: Group adm is used for system monitoring tasks. Members of this
group can read many log files in /var/log, …
staff: Allows users to add local modifications … Compare with group
'adm', which is more related to monitoring/security."
> Anyway, this really seems to simply be a local (mis)configuration issue.
You're right it's a local problem--though not a reasonably foreseeable,
noticeable, or easily debuggable consequence of 'hidepid'. If you were
willing to add "SupplementaryGroups=adm" to the shipped file, that would
be helpful and I think reasonable based on the stated purpose of 'adm'.
I'm having trouble thinking of a "proper" way for systemd to handle it
while Debian ships with hidepid disabled.
-- Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180504/989aca01/attachment-0002.sig>
-------------- next part --------------
---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180504/989aca01/attachment-0002.html>
More information about the Pkg-systemd-maintainers
mailing list