From ab32c8181dd8579a65a5967f56929ad078cff4f9 Mon Sep 17 00:00:00 2001 From: Wolfgang Müller Date: Wed, 27 Oct 2021 12:46:43 +0200 Subject: content: Add new post: "proc(5) hidepid=2 and systemd" --- content/12/index.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 content/12/index.md diff --git a/content/12/index.md b/content/12/index.md new file mode 100644 index 0000000..d9bb3a2 --- /dev/null +++ b/content/12/index.md @@ -0,0 +1,35 @@ ++++ +date = 2021-10-27T12:46:24+02:00 +title = "proc(5) hidepid=2 and systemd" + +[taxonomies] +tags = ["TIL", "systemd"] ++++ + +A couple of days ago I turned on +[`hidepid=2`](https://manpages.debian.org/bullseye/manpages/proc.5.en.html#hidepid) +for the `/proc` mount on my desktop PC. Today I saw the `systemd-userdbd` +service failing on bootup, and realized that it had been failing to start for a +few days. Aside from the fact that there really should be a well-supported and +easy way to notify administrators of failing units, this obviously needed some +investigation. + +`systemctl status systemd-userdbd.service` wasn't very helpful, but `journalctl` +had the specific error: +``` +[..] spawning /lib/systemd/systemd-userdbd: Read-only file system +``` + +I didn't immediately jump to the conclusion that this had to do with enabling +`hidepid=2`. After all, why would that result in a read-only file system? +Investigating a failure very early on in boot is a pain, so instead of wasting +my time on that I took to GitHub issues. + +As it turns out, `hidepid=` is just +[not supported](https://github.com/systemd/systemd/issues/12955#issuecomment-508490893) +[at all](https://github.com/systemd/systemd/issues/20848#issuecomment-930185888) +in systemd. This doesn't seem to be pointed out anywhere, and I certainly was +not aware of it before. Services can set +[`ProtectProc=`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectProc=), +but there doesn't seem to be a clean way of restricting /proc for unprivileged +users like a global `hidepid=2` did. I've removed the option for now. -- cgit v1.2.3-2-gb3c3