Re: [systemd-devel] Normal user can ask status of services

[Michael Biebl]

Am Sa., 26. Aug. 2023 um 15:25 Uhr schrieb Andrei Borzenkov
:
>
> On 26.08.2023 15:46, Michael Biebl wrote:
> >
> > Reading system logs is a privileged operation.
> >
>
> It is not about reading logs but about being able to "systemctl status
> some-system-unit"

I was referring to the part
"Warning: some journal files were not opened due to insufficient
permissions."
of the systemctl status output.

Re: [systemd-devel] Normal user can ask status of services

[Demi Marie Obenour]

On Sun, Aug 27, 2023 at 07:35:53PM +0200, Cecil Westerhof wrote:
> Op zo 27 aug 2023 om 18:30 schreef Leon Fauster  >:
> 
> > Am 26.08.23 um 18:41 schrieb Cecil Westerhof:
> > > Replying on google does not work as I am used to. It sends to the sender
> > > instead of the group. 
> > >
> > > Op za 26 aug 2023 om 18:36 schreef Cecil Westerhof
> > > mailto:cldwester...@gmail.com>>:
> > >
> > > Op za 26 aug 2023 om 14:46 schreef Michael Biebl  > > >:
> > >
> > > Am Sa., 26. Aug. 2023 um 09:44 Uhr schrieb Cecil Westerhof
> > > mailto:cldwester...@gmail.com>>:
> > >  >
> > >  > I am at last implementing systemd timers. The service I
> > > created can have its status queried by a normal user. I thought
> > > I must have made a mistake. But when I do:
> > >  > systemctl status cron
> > >  >
> > >  > I get:
> > >  > ● cron.service - Regular background program processing
> > daemon
> > >  >  Loaded: loaded (/lib/systemd/system/cron.service;
> > > enabled; preset: enabled)
> > >  >  Active: active (running) since Sat 2023-08-19
> > > 18:12:04 CEST; 6 days ago
> > >  >Docs: man:cron(8)
> > >  >Main PID: 790 (cron)
> > >  >   Tasks: 1 (limit: 17837)
> > >  >  Memory: 91.0M
> > >  > CPU: 14min 3.110s
> > >  >  CGroup: /system.slice/cron.service
> > >  >  └─790 /usr/sbin/cron -f
> > >  >
> > >  > Warning: some journal files were not opened due to
> > > insufficient permissions.
> > >  >
> > >  > Is this the expected behaviour?
> > >  > If not: what could be wrong with my system?
> > >  >
> > >  > This is on Debian 11.
> > >
> > > Reading system logs is a privileged operation.
> > >
> > > You can grant this privilege to individual users by adding them
> > > to the
> > > systemd-journal (or adm) group.
> > >
> > > Adding users to the adm will grant them additional privileges,
> > > so be careful.
> > >
> > >
> > > The user is in the lpadmin group, but not in systemd-journal, or adm
> > > and still can ask the status.
> > > Another reply indicates that this is normal.
> > >
> >
> >
> > Well, you can look at the process list anytime as normal user. So, what
> > are you trying to accomplishing. Whats the goal? Hiding the process from
> > the users?
> >
> 
> I was surprised that I could see it. And as I understand it, I am certainly
> not the only one. One reply on my question was even that it is a privileged
> operation and should not be possible without a group added to the user
> which was not added to the user.
> I agree that you can find out everything with ps, but that is a lot more
> work.
> I was just surprised that it was possible —and again I am far from the only
> one—, I just wanted to check it out and now I know it is expected behaviour.
> Better to ask a 'dump' question than staying ignorant I think.

Also access to other users' stuff in /proc can be disabled by a mount
option (hidepid=2).
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab


signature.asc
Description: PGP signature

Re: [systemd-devel] Normal user can ask status of services

[Andrei Borzenkov]

On 27.08.2023 20:35, Cecil Westerhof wrote:

Op zo 27 aug 2023 om 18:30 schreef Leon Fauster 
:



Am 26.08.23 um 18:41 schrieb Cecil Westerhof:

Replying on google does not work as I am used to. It sends to the sender
instead of the group. 

Op za 26 aug 2023 om 18:36 schreef Cecil Westerhof
mailto:cldwester...@gmail.com>>:

 Op za 26 aug 2023 om 14:46 schreef Michael Biebl mailto:mbi...@gmail.com>>:

 Am Sa., 26. Aug. 2023 um 09:44 Uhr schrieb Cecil Westerhof
 mailto:cldwester...@gmail.com>>:
  >
  > I am at last implementing systemd timers. The service I
 created can have its status queried by a normal user. I thought
 I must have made a mistake. But when I do:
  > systemctl status cron
  >
  > I get:
  > ● cron.service - Regular background program processing

daemon

  >  Loaded: loaded (/lib/systemd/system/cron.service;
 enabled; preset: enabled)
  >  Active: active (running) since Sat 2023-08-19
 18:12:04 CEST; 6 days ago
  >Docs: man:cron(8)
  >Main PID: 790 (cron)
  >   Tasks: 1 (limit: 17837)
  >  Memory: 91.0M
  > CPU: 14min 3.110s
  >  CGroup: /system.slice/cron.service
  >  └─790 /usr/sbin/cron -f
  >
  > Warning: some journal files were not opened due to
 insufficient permissions.
  >
  > Is this the expected behaviour?
  > If not: what could be wrong with my system?
  >
  > This is on Debian 11.

 Reading system logs is a privileged operation.

 You can grant this privilege to individual users by adding them
 to the
 systemd-journal (or adm) group.

 Adding users to the adm will grant them additional privileges,
 so be careful.


 The user is in the lpadmin group, but not in systemd-journal, or adm
 and still can ask the status.
 Another reply indicates that this is normal.




Well, you can look at the process list anytime as normal user. So, what
are you trying to accomplishing. Whats the goal? Hiding the process from
the users?



I was surprised that I could see it. And as I understand it, I am certainly
not the only one. One reply on my question was even that it is a privileged
operation and should not be possible without a group added to the user
which was not added to the user.


It was referring to the content of the system journal, not to the 
permissions to run "systemctl status".



I agree that you can find out everything with ps, but that is a lot more
work.
I was just surprised that it was possible —and again I am far from the only
one—, I just wanted to check it out and now I know it is expected behaviour.
Better to ask a 'dump' question than staying ignorant I think.

Re: [systemd-devel] Normal user can ask status of services

[Cecil Westerhof]

Op zo 27 aug 2023 om 18:30 schreef Leon Fauster :

> Am 26.08.23 um 18:41 schrieb Cecil Westerhof:
> > Replying on google does not work as I am used to. It sends to the sender
> > instead of the group. 
> >
> > Op za 26 aug 2023 om 18:36 schreef Cecil Westerhof
> > mailto:cldwester...@gmail.com>>:
> >
> > Op za 26 aug 2023 om 14:46 schreef Michael Biebl  > >:
> >
> > Am Sa., 26. Aug. 2023 um 09:44 Uhr schrieb Cecil Westerhof
> > mailto:cldwester...@gmail.com>>:
> >  >
> >  > I am at last implementing systemd timers. The service I
> > created can have its status queried by a normal user. I thought
> > I must have made a mistake. But when I do:
> >  > systemctl status cron
> >  >
> >  > I get:
> >  > ● cron.service - Regular background program processing
> daemon
> >  >  Loaded: loaded (/lib/systemd/system/cron.service;
> > enabled; preset: enabled)
> >  >  Active: active (running) since Sat 2023-08-19
> > 18:12:04 CEST; 6 days ago
> >  >Docs: man:cron(8)
> >  >Main PID: 790 (cron)
> >  >   Tasks: 1 (limit: 17837)
> >  >  Memory: 91.0M
> >  > CPU: 14min 3.110s
> >  >  CGroup: /system.slice/cron.service
> >  >  └─790 /usr/sbin/cron -f
> >  >
> >  > Warning: some journal files were not opened due to
> > insufficient permissions.
> >  >
> >  > Is this the expected behaviour?
> >  > If not: what could be wrong with my system?
> >  >
> >  > This is on Debian 11.
> >
> > Reading system logs is a privileged operation.
> >
> > You can grant this privilege to individual users by adding them
> > to the
> > systemd-journal (or adm) group.
> >
> > Adding users to the adm will grant them additional privileges,
> > so be careful.
> >
> >
> > The user is in the lpadmin group, but not in systemd-journal, or adm
> > and still can ask the status.
> > Another reply indicates that this is normal.
> >
>
>
> Well, you can look at the process list anytime as normal user. So, what
> are you trying to accomplishing. Whats the goal? Hiding the process from
> the users?
>

I was surprised that I could see it. And as I understand it, I am certainly
not the only one. One reply on my question was even that it is a privileged
operation and should not be possible without a group added to the user
which was not added to the user.
I agree that you can find out everything with ps, but that is a lot more
work.
I was just surprised that it was possible —and again I am far from the only
one—, I just wanted to check it out and now I know it is expected behaviour.
Better to ask a 'dump' question than staying ignorant I think.

-- 
Cecil Westerhof

Re: [systemd-devel] Normal user can ask status of services

[Leon Fauster]

Am 26.08.23 um 18:41 schrieb Cecil Westerhof:
Replying on google does not work as I am used to. It sends to the sender 
instead of the group. 


Op za 26 aug 2023 om 18:36 schreef Cecil Westerhof 
mailto:cldwester...@gmail.com>>:


Op za 26 aug 2023 om 14:46 schreef Michael Biebl mailto:mbi...@gmail.com>>:

Am Sa., 26. Aug. 2023 um 09:44 Uhr schrieb Cecil Westerhof
mailto:cldwester...@gmail.com>>:
 >
 > I am at last implementing systemd timers. The service I
created can have its status queried by a normal user. I thought
I must have made a mistake. But when I do:
 >     systemctl status cron
 >
 > I get:
 >     ● cron.service - Regular background program processing daemon
 >          Loaded: loaded (/lib/systemd/system/cron.service;
enabled; preset: enabled)
 >          Active: active (running) since Sat 2023-08-19
18:12:04 CEST; 6 days ago
 >            Docs: man:cron(8)
 >        Main PID: 790 (cron)
 >           Tasks: 1 (limit: 17837)
 >          Memory: 91.0M
 >             CPU: 14min 3.110s
 >          CGroup: /system.slice/cron.service
 >                  └─790 /usr/sbin/cron -f
 >
 >     Warning: some journal files were not opened due to
insufficient permissions.
 >
 > Is this the expected behaviour?
 > If not: what could be wrong with my system?
 >
 > This is on Debian 11.

Reading system logs is a privileged operation.

You can grant this privilege to individual users by adding them
to the
systemd-journal (or adm) group.

Adding users to the adm will grant them additional privileges,
so be careful.


The user is in the lpadmin group, but not in systemd-journal, or adm
and still can ask the status.
Another reply indicates that this is normal.




Well, you can look at the process list anytime as normal user. So, what 
are you trying to accomplishing. Whats the goal? Hiding the process from 
the users?


--
Leon

Re: [systemd-devel] Normal user can ask status of services

[Cecil Westerhof]

Replying on google does not work as I am used to. It sends to the sender
instead of the group. 

Op za 26 aug 2023 om 18:36 schreef Cecil Westerhof :

> Op za 26 aug 2023 om 14:46 schreef Michael Biebl :
>
>> Am Sa., 26. Aug. 2023 um 09:44 Uhr schrieb Cecil Westerhof
>> :
>> >
>> > I am at last implementing systemd timers. The service I created can
>> have its status queried by a normal user. I thought I must have made a
>> mistake. But when I do:
>> > systemctl status cron
>> >
>> > I get:
>> > ● cron.service - Regular background program processing daemon
>> >  Loaded: loaded (/lib/systemd/system/cron.service; enabled;
>> preset: enabled)
>> >  Active: active (running) since Sat 2023-08-19 18:12:04 CEST; 6
>> days ago
>> >Docs: man:cron(8)
>> >Main PID: 790 (cron)
>> >   Tasks: 1 (limit: 17837)
>> >  Memory: 91.0M
>> > CPU: 14min 3.110s
>> >  CGroup: /system.slice/cron.service
>> >  └─790 /usr/sbin/cron -f
>> >
>> > Warning: some journal files were not opened due to insufficient
>> permissions.
>> >
>> > Is this the expected behaviour?
>> > If not: what could be wrong with my system?
>> >
>> > This is on Debian 11.
>>
>> Reading system logs is a privileged operation.
>>
>> You can grant this privilege to individual users by adding them to the
>> systemd-journal (or adm) group.
>>
>> Adding users to the adm will grant them additional privileges, so be
>> careful.
>>
>
> The user is in the lpadmin group, but not in systemd-journal, or adm and
> still can ask the status.
> Another reply indicates that this is normal.
>

-- 
Cecil Westerhof

Re: [systemd-devel] Normal user can ask status of services

[Cecil Westerhof]

Replying on google does not work as I am used to. It sends to the sender
instead of the group. 

Op za 26 aug 2023 om 18:31 schreef Cecil Westerhof :

>
> Op za 26 aug 2023 om 17:35 schreef Dave Howorth :
>
>> On Sat, 26 Aug 2023 16:17:46 +0300
>> Andrei Borzenkov  wrote:
>> > On 26.08.2023 15:46, Michael Biebl wrote:
>> > >
>> > > Reading system logs is a privileged operation.
>> >
>> > It is not about reading logs but about being able to "systemctl
>> > status some-system-unit"
>> >
>> > > You can grant this privilege to individual users by adding them to
>> > > the systemd-journal (or adm) group.
>> >
>> > The question was how to prevent normal users from seeing system unit
>> > status.
>>
>> TBF, it wasn't really clear (to me at least) what the question was
>> about. Either what you surmised, or what Michael surmised or maybe
>> about which Debian releases have cron installed by default? I certainly
>> couldn't work it out.
>>
>
> I was not surprised that cron was installed. (I want to migrate cron to
> systemd timers.) I was surprised that I could ask the status of cron as a
> normal user. That seemed strange to me, I expected that only root would be
> able to do that.
> But I use systemd, but certainly am no expert. But willing to learn more.
>
> --
> Cecil Westerhof
>


-- 
Cecil Westerhof

Re: [systemd-devel] Normal user can ask status of services

[Cecil Westerhof]

Op za 26 aug 2023 om 15:16 schreef Andrei Borzenkov :

> Do not send personal reply to the list post.
>
> On 26.08.2023 15:35, Cecil Westerhof wrote:
> > Op za 26 aug 2023 om 13:45 schreef Andrei Borzenkov  >:
> >
> >> On 26.08.2023 10:44, Cecil Westerhof wrote:
> >>>
> >>> Is this the expected behaviour?
> >>
> >> Yes, it is.
> >>
> >
> > It seemed strange to me, but I will not worry then.
> > Thanks.
> >
> > At the moment it is not important, but if I do not want that a normal
> user
> > can query the status: can I circumvent this?
> >
>
> I am not sure. systemctl just calls
> org.freedesktop.DBus.Properties.GetAll on unit D-Bus path. I am not
> aware of any way to restrict it in systemd. You may restrict it on the
> D-Bus level. Currently it is open to all
>
>   send_interface="org.freedesktop.DBus.Properties"
> send_member="GetAll"/>
>
> I do not know if it is possible to put restrictions only on some paths.
>

Thanks, I will look into it.

-- 
Cecil Westerhof

Re: [systemd-devel] Normal user can ask status of services

[Dave Howorth]

On Sat, 26 Aug 2023 16:17:46 +0300
Andrei Borzenkov  wrote:
> On 26.08.2023 15:46, Michael Biebl wrote:
> > 
> > Reading system logs is a privileged operation.
> 
> It is not about reading logs but about being able to "systemctl
> status some-system-unit"
> 
> > You can grant this privilege to individual users by adding them to
> > the systemd-journal (or adm) group.
> 
> The question was how to prevent normal users from seeing system unit
> status.

TBF, it wasn't really clear (to me at least) what the question was
about. Either what you surmised, or what Michael surmised or maybe
about which Debian releases have cron installed by default? I certainly
couldn't work it out.

Re: [systemd-devel] Normal user can ask status of services

[Andrei Borzenkov]

On 26.08.2023 15:46, Michael Biebl wrote:


Reading system logs is a privileged operation.



It is not about reading logs but about being able to "systemctl status 
some-system-unit"



You can grant this privilege to individual users by adding them to the
systemd-journal (or adm) group.



The question was how to prevent normal users from seeing system unit status.

Re: [systemd-devel] Normal user can ask status of services

[Andrei Borzenkov]

Do not send personal reply to the list post.

On 26.08.2023 15:35, Cecil Westerhof wrote:

Op za 26 aug 2023 om 13:45 schreef Andrei Borzenkov :


On 26.08.2023 10:44, Cecil Westerhof wrote:


Is this the expected behaviour?


Yes, it is.



It seemed strange to me, but I will not worry then.
Thanks.

At the moment it is not important, but if I do not want that a normal user
can query the status: can I circumvent this?



I am not sure. systemctl just calls 
org.freedesktop.DBus.Properties.GetAll on unit D-Bus path. I am not 
aware of any way to restrict it in systemd. You may restrict it on the 
D-Bus level. Currently it is open to all




I do not know if it is possible to put restrictions only on some paths.

Re: [systemd-devel] Normal user can ask status of services

[Michael Biebl]

Am Sa., 26. Aug. 2023 um 09:44 Uhr schrieb Cecil Westerhof
:
>
> I am at last implementing systemd timers. The service I created can have its 
> status queried by a normal user. I thought I must have made a mistake. But 
> when I do:
> systemctl status cron
>
> I get:
> ● cron.service - Regular background program processing daemon
>  Loaded: loaded (/lib/systemd/system/cron.service; enabled; preset: 
> enabled)
>  Active: active (running) since Sat 2023-08-19 18:12:04 CEST; 6 days 
> ago
>Docs: man:cron(8)
>Main PID: 790 (cron)
>   Tasks: 1 (limit: 17837)
>  Memory: 91.0M
> CPU: 14min 3.110s
>  CGroup: /system.slice/cron.service
>  └─790 /usr/sbin/cron -f
>
> Warning: some journal files were not opened due to insufficient 
> permissions.
>
> Is this the expected behaviour?
> If not: what could be wrong with my system?
>
> This is on Debian 11.

Reading system logs is a privileged operation.

You can grant this privilege to individual users by adding them to the
systemd-journal (or adm) group.

Adding users to the adm will grant them additional privileges, so be careful.

Re: [systemd-devel] Normal user can ask status of services

[Andrei Borzenkov]

On 26.08.2023 10:44, Cecil Westerhof wrote:


Is this the expected behaviour?


Yes, it is.