Incompatible with proc hidepid=2?

Question

Incompatible with proc hidepid=2?

Opened this issue 5 years ago · 10 comments

Hello.
I use /proc mounted with (among other options) hidepid=2,gid=133
In that group (named nohidepid) among others I have added the rtkit user.
It still doesn't work.
I tried

# cat /etc/systemd/system/rtkit-daemon.service.d/override.conf
[Service]
SupplementaryGroups=nohidepid

Doesn't work even after a reboot.
The privilege dropping seems to discard supplementary groups :-(
Thanks!

Answer 1 · 2019-06-07T04:19:28.000Z

Yes. Not sure how easy this is to fix. You might need to make your nohidepid group rtkit's main group.

Answer 2 · 2019-06-11T01:00:49.000Z

Yeah, of course, but still: that's a workaround, not a proper fix and behavior.
Thanks for your answer Jan!

Answer 3 · 2019-09-08T10:49:26.000Z

This workaround doesn't actually work. Still Failed to look up client: No such file or directory.

Answer 4 · 2019-09-09T11:31:39.000Z

@Maryse47 Are you sure? What did you try?

So, I think the problem is that as part of "dropping privileges" (which can be disabled with --no-drop-privileges), rtkit-daemon changes its user and group but disregards supplementary groups (which get cleared).

PTRACE capability overrides hidepid, but I think this would give the daemon too many privileges. I think it's a better option to make it actually apply the supplementary groups for the rtkit user.

Seems it needs quite a bit of code to do that, though. I would prefer to kill all the privilege dropping and resource limits code from rtkit and add equivalent directives to the systemd service unit. Arch Linux would be fine with this, but I don't know if all my other downstreams would appreciate it.

Answer 5 · 2019-09-10T14:06:58.000Z

@heftig I changed rtkit primary group to one used by hidepid, confirmed that daemon runs as user:rkit group:<hidpid_group> and still it spams in journal with Failed to look up client: No such file or directory after rtkit deamon starts. I tested it after reboot.

Honestly I wouldn't mind to get rid of rtkit altogether so if it's possible to make it optional dep for pulseaudio and pipewire and call incompatible with hidepid option it would be acceptable solution.

Answer 6 · 2020-06-30T13:04:39.000Z

Seems it needs quite a bit of code to do that, though. I would prefer to kill all the privilege dropping and resource limits code from rtkit and add equivalent directives to the systemd service unit. Arch Linux would be fine with this, but I don't know if all my other downstream would appreciate it.

@heftig drop it or make it optional. This project is anyway on maintenance mode already so we should prob should simplify it so it is more maintainable.

Answer 7 · 2020-12-17T01:13:08.000Z

Is there no workaround for this other than disabling hidepid?

Answer 8 · 2020-12-17T18:02:30.000Z

You can remove/disable rtkit if you don't need it.

Answer 9 · 2020-12-17T22:21:48.000Z

Unfortunately i do need it for pulseaudio and pulseeffects.

Looking at the code can it not be resolved by just sending in the proc group in rtkit-daemon.c:1762 if (setgroups(0, NULL) < 0 || ? That call clears all the supplementary groups right now.

Answer 10 · 2020-12-18T01:26:57.000Z

I just recompiled with the following change and i can now use hidepid=2,gid=proc with rtkit working. Group proc has id 26 on my system.

At rtkit-daemon.c:1762

id_t groups[1] = { 26 };
if (setgroups(1, groups) < 0 ||