[systemd-devel] Mounting /proc with -o hidepid breaks sd-login
Marti Raudsepp
marti at juffo.org
Mon Oct 8 14:28:53 PDT 2012
Hi list,
Recently I upgraded to Gnome 3.6 on my Arch Linux desktop, but
gnome-session didn't work no matter what I tried. Ages of debugging
later, strace revealed this:
[pid 2063] open("/proc/1/cgroup", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such file or directory)
[...]
[pid 2063] writev(2, [{"gnome-session[2063]: WARNING: Could not get
session id for session. Check that logind is properly in"..., 150}],
1) = 150
Turns out it happens because I was mounting /proc with hidepid=2 on my
systems. It's a nice security feature introduced in Linux 3.3 which
hides all other users' processes from unprivileged users.
Jan Steffens pointed out that this open call actually comes from
systemd's sd-login. What's the reason why sd-login needs to poke
around in init's cgroups? It's being called by sd_pid_get_owner_uid
and sd_pid_get_session, but I'm not entirely clear what's happening in
that code.
AFAICT on regular systems, init's cgroup is always "/system", in which
case it gets ignored entirely by the code. Would be safe assume that
on failure to open? Are there any other ways to solve this?
I'm using the hidepid= option on all my systems and it has never
caused problems until now.
Regards,
Marti
More information about the systemd-devel
mailing list