[systemd-devel] Mounting /proc with -o hidepid breaks sd-login

Marti Raudsepp marti at juffo.org
Mon Oct 8 14:28:53 PDT 2012

Hi list,

Recently I upgraded to Gnome 3.6 on my Arch Linux desktop, but
gnome-session didn't work no matter what I tried. Ages of debugging
later, strace revealed this:
[pid  2063] open("/proc/1/cgroup", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such file or directory)
[pid  2063] writev(2, [{"gnome-session[2063]: WARNING: Could not get
session id for session. Check that logind is properly in"..., 150}],
1) = 150

Turns out it happens because I was mounting /proc with hidepid=2 on my
systems. It's a nice security feature introduced in Linux 3.3 which
hides all other users' processes from unprivileged users.

Jan Steffens pointed out that this open call actually comes from
systemd's sd-login. What's the reason why sd-login needs to poke
around in init's cgroups? It's being called by sd_pid_get_owner_uid
and sd_pid_get_session, but I'm not entirely clear what's happening in
that code.

AFAICT on regular systems, init's cgroup is always "/system", in which
case it gets ignored entirely by the code. Would be safe assume that
on failure to open? Are there any other ways to solve this?

I'm using the hidepid= option on all my systems and it has never
caused problems until now.


More information about the systemd-devel mailing list