Bug#897654: libpam-systemd: "Failed to create session: No such process"

Michael Biebl biebl at debian.org
Fri May 4 17:28:36 BST 2018 

Am 04.05.2018 um 18:24 schrieb Michael Gold:
> On Fri, May 04, 2018 at 18:02:09 +0200, Michael Biebl wrote:
>> I guess you have two options here:
>> Either drop gid=4 from your mount flags or you add
>> SupplementaryGroups=adm to systemd-logind.service
> 
> I haven't figured out how to override that .service file locally yet,
> but I'm trying to add SupplementaryGroups=adm.

Use a drop-in config as described in the Arch wiki:

For user sessions to work correctly, an exception needs to be added for
systemd-logind:

/etc/systemd/system/systemd-logind.service.d/hidepid.conf containing

[Service]
SupplementaryGroups=proc

> If I just drop 'gid=4' I won't be able to use "pidin aux" myself.
> 
>> Why adm is a suitable group for that purpose is not clear to me, but
>> that's besides the point.
>> https://wiki.archlinux.org/index.php/Security#hidepid suggests to use a
>> dedicated group like proc which makes more sense to me.
> 
> Kind of, but that's not a standard Debian group.  adm is, and does make
> sense based on the documentation (also note that johnw independently had
> the same idea):
> 	https://wiki.debian.org/SystemGroups
> 	"adm: Group adm is used for system monitoring tasks. Members of this
> 	 group can read many log files in /var/log, …
> 	 staff: Allows users to add local modifications … Compare with group
> 	 'adm', which is more related to monitoring/security."
> 

Well, I think granting read access to the syslog files (and the journal
fwiw) as a side effect of granting read access to /proc makes group adm
a poor choice. Those should be treated separately.

A dedicated "proc" group, as the Arch wiki suggests, makes much more
sense to me.

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180504/e731ed56/attachment-0002.sig>

More information about the Pkg-systemd-maintainers mailing list