[systemd-devel] Normal user can ask status of services
Demi Marie Obenour
demi at invisiblethingslab.com
Sun Aug 27 18:52:38 UTC 2023
On Sun, Aug 27, 2023 at 07:35:53PM +0200, Cecil Westerhof wrote:
> Op zo 27 aug 2023 om 18:30 schreef Leon Fauster <leonfauster at googlemail.com
> >:
>
> > Am 26.08.23 um 18:41 schrieb Cecil Westerhof:
> > > Replying on google does not work as I am used to. It sends to the sender
> > > instead of the group. 😱
> > >
> > > Op za 26 aug 2023 om 18:36 schreef Cecil Westerhof
> > > <cldwesterhof at gmail.com <mailto:cldwesterhof at gmail.com>>:
> > >
> > > Op za 26 aug 2023 om 14:46 schreef Michael Biebl <mbiebl at gmail.com
> > > <mailto:mbiebl at gmail.com>>:
> > >
> > > Am Sa., 26. Aug. 2023 um 09:44 Uhr schrieb Cecil Westerhof
> > > <cldwesterhof at gmail.com <mailto:cldwesterhof at gmail.com>>:
> > > >
> > > > I am at last implementing systemd timers. The service I
> > > created can have its status queried by a normal user. I thought
> > > I must have made a mistake. But when I do:
> > > > systemctl status cron
> > > >
> > > > I get:
> > > > ● cron.service - Regular background program processing
> > daemon
> > > > Loaded: loaded (/lib/systemd/system/cron.service;
> > > enabled; preset: enabled)
> > > > Active: active (running) since Sat 2023-08-19
> > > 18:12:04 CEST; 6 days ago
> > > > Docs: man:cron(8)
> > > > Main PID: 790 (cron)
> > > > Tasks: 1 (limit: 17837)
> > > > Memory: 91.0M
> > > > CPU: 14min 3.110s
> > > > CGroup: /system.slice/cron.service
> > > > └─790 /usr/sbin/cron -f
> > > >
> > > > Warning: some journal files were not opened due to
> > > insufficient permissions.
> > > >
> > > > Is this the expected behaviour?
> > > > If not: what could be wrong with my system?
> > > >
> > > > This is on Debian 11.
> > >
> > > Reading system logs is a privileged operation.
> > >
> > > You can grant this privilege to individual users by adding them
> > > to the
> > > systemd-journal (or adm) group.
> > >
> > > Adding users to the adm will grant them additional privileges,
> > > so be careful.
> > >
> > >
> > > The user is in the lpadmin group, but not in systemd-journal, or adm
> > > and still can ask the status.
> > > Another reply indicates that this is normal.
> > >
> >
> >
> > Well, you can look at the process list anytime as normal user. So, what
> > are you trying to accomplishing. Whats the goal? Hiding the process from
> > the users?
> >
>
> I was surprised that I could see it. And as I understand it, I am certainly
> not the only one. One reply on my question was even that it is a privileged
> operation and should not be possible without a group added to the user
> which was not added to the user.
> I agree that you can find out everything with ps, but that is a lot more
> work.
> I was just surprised that it was possible —and again I am far from the only
> one—, I just wanted to check it out and now I know it is expected behaviour.
> Better to ask a 'dump' question than staying ignorant I think.
Also access to other users' stuff in /proc can be disabled by a mount
option (hidepid=2).
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20230827/324e1566/attachment-0001.sig>
More information about the systemd-devel
mailing list