Hello, basically, polkit uses process' PID, EUID and start_time to track if the process is authorized by the agent during all the lifetime of a cookie. This implicitly raises question if hiding PIDs from it is a good idea.
TBH, when I tried to reproduce the situation, I was not even able to boot with hidepid=2 in /proc mount options, for NetworkManager and other services refused to start. I didn't see the hidepid option activated by default in distributions I know/use. If you tweak your fstab on your own, you can prevent this negative situation by creating a special group, adding user polkit into it and then activating "gid=<group>" mount option to tell kernel the exceptions from hidepid. If hidepid is a new trend among distributions that turns default, please correct me if I'm wrong and should incorporate this into installation scripts. Also a link to source would help me a lot. Thank you! Jan Rybar On Wed, Oct 16, 2019 at 9:07 PM PGNet Dev <pgnet....@gmail.com> wrote: > > I run linux KDE + Plasma5. > > After recent kernel upgrades from 5.3.5x -> 5.3.6x (currently, > 5.3.6-25.gd6c109d), I was no longer able to > > -- mount removable devices > -- build/install kernel mods for VirtualBox > -- etc > > 'polkit-kde-authentication-agent-1' was not longer exec'ing -- either on > boot, or manually. > > it appears that /proc entry in fstab > > /etc/fstab > ... > proc /proc proc > rw,nosuid,nodev,noexec,relatime,hidepid=2 0 0 > > ^^^^^^^^^ > ... > > now has a problem with "hidepid=2" > > changing > > - proc /proc proc > rw,nosuid,nodev,noexec,relatime,hidepid=2 0 0 > + proc /proc proc rw,nosuid,nodev,noexec,relatime > 0 0 > > fixes the problem, so that the agent execs correctly. > > it appears there's a (new?) conflict between hidepid and polkit. > > QUESTION: > > is this intended/expected, and un-hardening the system by removig > hidepid is now required? > > or, is this a regression? and, if so, in what -- polkit? > > > details of findings so far, here: > > https://bugzilla.opensuse.org/show_bug.cgi?id=1154139 > _______________________________________________ > polkit-devel mailing list > polkit-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/polkit-devel _______________________________________________ polkit-devel mailing list polkit-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/polkit-devel
