Project

General

Profile

Bug #16074

Re-enable hidepid

Added by intrigeri 10 months ago. Updated 8 months ago.

Status:
Confirmed
Priority:
Low
Assignee:
Category:
-
Target version:
-
Start date:
10/25/2018
Due date:
% Done:

0%

Feature Branch:
Type of work:
Test
Blueprint:
Starter:
Affected tool:

Description

When porting to Jessie we've tried to enable the hidepid=2 hardening feature but we reverted it as it broke stuff (e.g. #8256). It seems one can make hidepid=2 work:

  • pass gid=<gid> mount option for /proc
  • give systemd-logind.service the SupplementaryGroups=<gid> option
  • possibly some more services need to have SupplementaryGroups=<gid>, e.g. polkitd; testing will tell
  • add the polkitd user to the <gid> group

See https://wiki.debian.org/Hardening#Mounting_.2Fproc_with_hidepid for details and possibly more up-to-date info.

History

#1 Updated by intrigeri 10 months ago

  • Type of work changed from Code to Test

I'll try that on my own system and if it's good enough there, chances are that it'll work for Tails too :)

#2 Updated by intrigeri 8 months ago

  • Description updated (diff)

Also available in: Atom PDF