[systemd-devel] Normal user can ask status of services

Demi Marie Obenour demi at invisiblethingslab.com
Sun Aug 27 18:52:38 UTC 2023


On Sun, Aug 27, 2023 at 07:35:53PM +0200, Cecil Westerhof wrote:
> Op zo 27 aug 2023 om 18:30 schreef Leon Fauster <leonfauster at googlemail.com
> >:
> 
> > Am 26.08.23 um 18:41 schrieb Cecil Westerhof:
> > > Replying on google does not work as I am used to. It sends to the sender
> > > instead of the group. 😱
> > >
> > > Op za 26 aug 2023 om 18:36 schreef Cecil Westerhof
> > > <cldwesterhof at gmail.com <mailto:cldwesterhof at gmail.com>>:
> > >
> > >     Op za 26 aug 2023 om 14:46 schreef Michael Biebl <mbiebl at gmail.com
> > >     <mailto:mbiebl at gmail.com>>:
> > >
> > >         Am Sa., 26. Aug. 2023 um 09:44 Uhr schrieb Cecil Westerhof
> > >         <cldwesterhof at gmail.com <mailto:cldwesterhof at gmail.com>>:
> > >          >
> > >          > I am at last implementing systemd timers. The service I
> > >         created can have its status queried by a normal user. I thought
> > >         I must have made a mistake. But when I do:
> > >          >     systemctl status cron
> > >          >
> > >          > I get:
> > >          >     ● cron.service - Regular background program processing
> > daemon
> > >          >          Loaded: loaded (/lib/systemd/system/cron.service;
> > >         enabled; preset: enabled)
> > >          >          Active: active (running) since Sat 2023-08-19
> > >         18:12:04 CEST; 6 days ago
> > >          >            Docs: man:cron(8)
> > >          >        Main PID: 790 (cron)
> > >          >           Tasks: 1 (limit: 17837)
> > >          >          Memory: 91.0M
> > >          >             CPU: 14min 3.110s
> > >          >          CGroup: /system.slice/cron.service
> > >          >                  └─790 /usr/sbin/cron -f
> > >          >
> > >          >     Warning: some journal files were not opened due to
> > >         insufficient permissions.
> > >          >
> > >          > Is this the expected behaviour?
> > >          > If not: what could be wrong with my system?
> > >          >
> > >          > This is on Debian 11.
> > >
> > >         Reading system logs is a privileged operation.
> > >
> > >         You can grant this privilege to individual users by adding them
> > >         to the
> > >         systemd-journal (or adm) group.
> > >
> > >         Adding users to the adm will grant them additional privileges,
> > >         so be careful.
> > >
> > >
> > >     The user is in the lpadmin group, but not in systemd-journal, or adm
> > >     and still can ask the status.
> > >     Another reply indicates that this is normal.
> > >
> >
> >
> > Well, you can look at the process list anytime as normal user. So, what
> > are you trying to accomplishing. Whats the goal? Hiding the process from
> > the users?
> >
> 
> I was surprised that I could see it. And as I understand it, I am certainly
> not the only one. One reply on my question was even that it is a privileged
> operation and should not be possible without a group added to the user
> which was not added to the user.
> I agree that you can find out everything with ps, but that is a lot more
> work.
> I was just surprised that it was possible —and again I am far from the only
> one—, I just wanted to check it out and now I know it is expected behaviour.
> Better to ask a 'dump' question than staying ignorant I think.

Also access to other users' stuff in /proc can be disabled by a mount
option (hidepid=2).
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20230827/324e1566/attachment-0001.sig>


More information about the systemd-devel mailing list