Am 04.05.2018 um 18:24 schrieb Michael Gold: > On Fri, May 04, 2018 at 18:02:09 +0200, Michael Biebl wrote: >> I guess you have two options here: >> Either drop gid=4 from your mount flags or you add >> SupplementaryGroups=adm to systemd-logind.service > > I haven't figured out how to override that .service file locally yet, > but I'm trying to add SupplementaryGroups=adm.
Use a drop-in config as described in the Arch wiki: For user sessions to work correctly, an exception needs to be added for systemd-logind: /etc/systemd/system/systemd-logind.service.d/hidepid.conf containing [Service] SupplementaryGroups=proc > If I just drop 'gid=4' I won't be able to use "pidin aux" myself. > >> Why adm is a suitable group for that purpose is not clear to me, but >> that's besides the point. >> https://wiki.archlinux.org/index.php/Security#hidepid suggests to use a >> dedicated group like proc which makes more sense to me. > > Kind of, but that's not a standard Debian group. adm is, and does make > sense based on the documentation (also note that johnw independently had > the same idea): > https://wiki.debian.org/SystemGroups > "adm: Group adm is used for system monitoring tasks. Members of this > group can read many log files in /var/log, … > staff: Allows users to add local modifications … Compare with group > 'adm', which is more related to monitoring/security." > Well, I think granting read access to the syslog files (and the journal fwiw) as a side effect of granting read access to /proc makes group adm a poor choice. Those should be treated separately. A dedicated "proc" group, as the Arch wiki suggests, makes much more sense to me. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
