conflict between polkit (kde-authentication-agent-1) and /proc fs "hidepid=2" option: regression, or new req't?

Jan Rybar jrybar at redhat.com
Wed Nov 6 16:32:59 UTC 2019 

Hello,

basically, polkit uses process' PID, EUID and start_time to track if
the process is authorized by the agent during all the lifetime of a
cookie.
This implicitly raises question if hiding PIDs from it is a good idea.

TBH, when I tried to reproduce the situation, I was not even able to
boot with hidepid=2 in /proc mount options, for NetworkManager and
other services refused to start.

I didn't see the hidepid option activated by default in distributions
I know/use. If you tweak your fstab on your own, you can prevent this
negative situation by creating a special group, adding user polkit
into it and then activating "gid=<group>" mount option to tell kernel
the exceptions from hidepid.

If hidepid is a new trend among distributions that turns default,
please correct me if I'm wrong and should incorporate this into
installation scripts. Also a link to source would help me a lot.

Thank you!
Jan Rybar

On Wed, Oct 16, 2019 at 9:07 PM PGNet Dev <pgnet.dev at gmail.com> wrote:
>
> I run linux KDE + Plasma5.
>
> After recent kernel upgrades from 5.3.5x -> 5.3.6x (currently, 5.3.6-25.gd6c109d), I was no longer able to
>
>  -- mount removable devices
>  -- build/install kernel mods for VirtualBox
>  -- etc
>
> 'polkit-kde-authentication-agent-1' was not longer exec'ing -- either on boot, or manually.
>
> it appears that /proc entry in fstab
>
>         /etc/fstab
>                 ...
>                 proc     /proc    proc    rw,nosuid,nodev,noexec,relatime,hidepid=2    0 0
>                                                                           ^^^^^^^^^
>                 ...
>
> now has a problem with "hidepid=2"
>
> changing
>
> -               proc     /proc    proc    rw,nosuid,nodev,noexec,relatime,hidepid=2    0 0
> +               proc     /proc    proc    rw,nosuid,nodev,noexec,relatime              0 0
>
> fixes the problem, so that the agent execs correctly.
>
> it appears there's a (new?) conflict between hidepid and polkit.
>
> QUESTION:
>
>         is this intended/expected, and un-hardening the system by removig hidepid is now required?
>
> or, is this a regression? and, if so, in what -- polkit?
>
>
> details of findings so far, here:
>
>         https://bugzilla.opensuse.org/show_bug.cgi?id=1154139
> _______________________________________________
> polkit-devel mailing list
> polkit-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/polkit-devel

More information about the polkit-devel mailing list