You are not logged in.
- Topics: Active | Unanswered
#1 2022-12-14 19:53:06
- dimich
- Member
- From: Kharkiv, Ukraine
- Registered: 2009-11-03
- Posts: 240
[SOLVED] User can't reboot/poweroff when /proc mounted with hidepid
When /proc is mounted with default options (no hidepid or hidepid=0) user can reboot/poweroff the system from command line.
When /proc is mounted with hidepid=1 or hidepid=2 systemd doesn't allow user to reboot/poweroff system:
$ poweroff
Call to PowerOff failed: Interactive authentication required.
$
$ ls -l $(which poweroff)
lrwxrwxrwx 1 root root 9 гру 9 09:03 /usr/bin/poweroff -> systemctlWhen invoked as parameter to systemctl one more error message appears:
$ systemctl poweroff
Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0)
Call to PowerOff failed: Interactive authentication required.This happens even if user is a member of group specified by gid= option for procfs:
$ mount | grep ^proc
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime,gid=1000,hidepid=invisible)
$
$ id -G | xargs -n1 | grep 1000
1000
$
$ loginctl show-session $XDG_SESSION_ID --property=Active
Active=yesIs this by design or bug in systemd? Maybe misconfiguration in my particular system?
Last edited by dimich (2022-12-14 23:41:47)
Offline
#2 2022-12-14 21:31:33
- 3beb6e7c46a615a
- Member
- Registered: 2021-03-27
- Posts: 165
Re: [SOLVED] User can't reboot/poweroff when /proc mounted with hidepid
I presume that's by design, see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1130796 and https://github.com/systemd/systemd/issu … -508490893
The problem in your specific case is not that your actual user account has no access to procfs. Instead it's the unprivileged polkit daemon which checks privilege elevations (like eg required for shutdown from a non-root process) which fails to get information from procfs, information it needs to decide whether the calling process is allowed to call a privileged action.
That's why the gid mount option doesn't change anything here.
Last edited by 3beb6e7c46a615a (2022-12-14 21:34:53)
Offline
#3 2022-12-14 23:41:29
- dimich
- Member
- From: Kharkiv, Ukraine
- Registered: 2009-11-03
- Posts: 240
Re: [SOLVED] User can't reboot/poweroff when /proc mounted with hidepid
Thank you for quick reply.
It turned out that polkit package already provides group "proc" and adds user "polkitd" into this group. I mounted /proc with hidepid=2,gid=proc. Reboot / poweroff works fine for regular user now.
Last edited by dimich (2022-12-15 00:21:36)
Offline
#4 2022-12-15 09:11:58
- webcapcha
- Member
- Registered: 2019-02-14
- Posts: 102
Re: [SOLVED] User can't reboot/poweroff when /proc mounted with hidepid
Hi, could you share your config how did you mount /proc. Is it separate partition?
Offline
#5 2022-12-15 09:51:56
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 21,657
Re: [SOLVED] User can't reboot/poweroff when /proc mounted with hidepid
/proc is a virtual file system that has no relation to a partition concept, if you don't understand what and why you are doing things here you need to do some reading on how these work before you hose your system. The literal answer to the question is under https://wiki.archlinux.org/title/Security#hidepid
Offline
#6 2022-12-15 13:38:51
- 3beb6e7c46a615a
- Member
- Registered: 2021-03-27
- Posts: 165
Re: [SOLVED] User can't reboot/poweroff when /proc mounted with hidepid
I was about to say that polkit isn't the only contender for trouble with hidepid, because other services rely on proc as well (journald came to my mind first), but the wiki page sums it up better than I could 
Offline