Re-enable hidepid
Originally created by @intrigeri on #16074 (Redmine)
When porting to Jessie we’ve tried to enable the hidepid=2
hardening
feature but we reverted it as it broke stuff (e.g. #8256 (closed)). It seems one
can make hidepid=2
work:
- pass
gid=<gid>
mount option for/proc
- give
systemd-logind.service
theSupplementaryGroups=<gid>
option - possibly some more services need to have
SupplementaryGroups=<gid>
, e.g. polkitd; testing will tell - add the
polkitd
user to the<gid>
group
See https://wiki.debian.org/Hardening#Mounting_.2Fproc_with_hidepid for details and possibly more up-to-date info.
Feature Branch: bug/16074-re-enable-hidepid+force-all-tests
Related issues
-
Blocked by #17265 (closed)
Edited by intrigeri