Open thican opened 7 months ago
bluca
commented
6 months ago My objective is to set a working environment with "modern" privileges workflow while keeping the hidepid=2 feature of /proc to ensure privacy and security.
Setting hidepid globally is not a "modern privilege workflow", it's security theater that doesn't provide any real value, and will break a great deal of things. Just don't use it, and instead use service sandboxing.
thican
commented
6 months ago Thanks for your feedback.
While it might have no real security value, nothing else is broken for the 6-7 years I use it, both on server and on desktop environment, and its privacy feature is effective.
At least pkexec should not put any other process in suspended state (not 100% sure if it’s pkexec or the desktop environment’s policykit helper), which is the original point of this report.
Source report: https://bugs.gentoo.org/924621
I discovered using pkexec outside a terminal will freezes most (if not all) graphical processes, as shown by
htopwith the "T" state (which meanstraced or suspended (e.g by SIGTSTP)) when/procis mounted withhidepid=2orhidepid=1.It happened when I used OBS Studio to create a virtual webcam, which tries to load kernel module v4l2loopback through
pkexeccall.In normal context, with MATE desktop environment, a window will pop asking for root password.
However when hidepid is enable,
/usr/libexec/polkit-mate-authentication-agent-1will issue a warning when opening the session (stored in file~/.materc-errors), such as:(see GH-80 and GH-121)
I recently added the patch GH-423 on top of release 124, same issue.
To reproduce:
hidepid=2(or =1) option for /proc (mount -o remount,hidepid=2 /proc);pkexec modprobe v4l2loopback video_nr=10,11 card_label="Dummy video device","Second video device";To leave this broken state, I have to send the signal
SIGHUPon processxinit, which closes my whole session.My objective is to set a working environment with "modern" privileges workflow while keeping the
hidepid=2feature of /proc to ensure privacy and security.