diff options
author | Luca Boccassi <bluca@debian.org> | 2021-03-14 12:36:15 +0000 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-03-23 01:32:14 +0100 |
commit | dc7d655abc1e3feab17ad74b51421e2f6ac8aee8 (patch) | |
tree | e4e5505c531c40a5d7b7da76de001c33554eb6e2 | |
parent | 438777cc00ccf2c05f8a05fa02907aa7be547719 (diff) | |
download | systemd-dc7d655abc1e3feab17ad74b51421e2f6ac8aee8.tar.gz |
man: specify that ProtectProc= does not work with root/cap_sys_ptrace
When using hidepid=invisible on procfs, the kernel will check if the
gid of the process trying to access /proc is the same as the gid of
the process that mounted the /proc instance, or if it has the ptrace
capability:
https://github.com/torvalds/linux/blob/v5.10/fs/proc/base.c#L723
https://github.com/torvalds/linux/blob/v5.10/fs/proc/root.c#L155
Given we set up the /proc instance as root for system services,
The same restriction applies to CAP_SYS_PTRACE, if a process runs with
it then hidepid=invisible has no effect.
ProtectProc effectively can only be used with User= or DynamicUser=yes,
without CAP_SYS_PTRACE.
Update the documentation to explicitly state these limitations.
Fixes #18997
(cherry picked from commit 301e7cd047c8d07715d5dc37f713e8aa031581b4)
-rw-r--r-- | man/systemd.exec.xml | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index c6e2ce9b00..f0e6222562 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -305,8 +305,11 @@ Filesystem</ulink>. It is generally recommended to run most system services with this option set to <literal>invisible</literal>. This option is implemented via file system namespacing, and thus cannot be used with services that shall be able to install mount points in the host file system - hierarchy. It also cannot be used for services that need to access metainformation about other users' - processes. This option implies <varname>MountAPIVFS=</varname>.</para> + hierarchy. Note that the root user is unaffected by this option, so to be effective it has to be used + together with <varname>User=</varname> or <varname>DynamicUser=yes</varname>, and also without the + <literal>CAP_SYS_PTRACE</literal> capability, which also allows a process to bypass this feature. It + cannot be used for services that need to access metainformation about other users' processes. This + option implies <varname>MountAPIVFS=</varname>.</para> <para>If the kernel doesn't support per-mount point <option>hidepid=</option> mount options this setting remains without effect, and the unit's processes will be able to access and see other process |