Re-enable hidepid
When porting to Jessie we’ve tried to enable the hidepid=2
hardening
feature but we reverted it as it broke stuff (e.g. #8256 (closed)). It seems one
can make hidepid=2
work:
- pass
gid=<gid>
mount option for/proc
- give
systemd-logind.service
theSupplementaryGroups=<gid>
option - possibly some more services need to have
SupplementaryGroups=<gid>
, e.g. polkitd; testing will tell - add the
polkitd
user to the<gid>
group
See https://wiki.debian.org/Hardening#Mounting_.2Fproc_with_hidepid for details and possibly more up-to-date info.
Original created by @intrigeri on 16074 (Redmine)