Bug#897654: libpam-systemd: "Failed to create session: No such process"

Fri May 4 18:26:20 BST 2018

On Fri, May 04, 2018 at 18:28:36 +0200, Michael Biebl wrote:
> Use a drop-in config as described in the Arch wiki:
> 
> For user sessions to work correctly, an exception needs to be added for
> systemd-logind:
> 
> /etc/systemd/system/systemd-logind.service.d/hidepid.conf containing
> 
> [Service]
> SupplementaryGroups=proc

Odd, I thought I had created exactly that file (but named override.conf
and with "adm") via "systemctl edit systemd-logind", and got this error:
  Service has more than one ExecStart= setting

But it's working fine now and I do get a session.

> Well, I think granting read access to the syslog files (and the journal
> fwiw) as a side effect of granting read access to /proc makes group adm
> a poor choice. Those should be treated separately.
> 
> A dedicated "proc" group, as the Arch wiki suggests, makes much more
> sense to me.

Access to /proc isn't really a side-effect if 'adm' is for "system
monitoring/security".  Though in practice it does just seem to be used
for log access.

I can't really ask you to add "SupplementaryGroups=proc" when the group
doesn't exist by default.  Of course, anyone enabling hidepid can do it
either way, once they figure out what's going on.  The systemd overrides
make it pretty convenient (e.g., I don't have to maintain an entire copy
of the service file with one extra line).

-- Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180504/a1c756f1/attachment-0002.sig>
-------------- next part --------------
---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180504/a1c756f1/attachment-0002.html>