Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkexec freezes graphical environment when /proc is mounted with hidepid != 0 #426

Open
thican opened this issue Feb 19, 2024 · 2 comments
Open

pkexec freezes graphical environment when /proc is mounted with hidepid != 0 #426

thican opened this issue Feb 19, 2024 · 2 comments

Comments

@thican
Copy link

thican commented Feb 19, 2024

Source report: https://bugs.gentoo.org/924621

I discovered using pkexec outside a terminal will freezes most (if not all) graphical processes, as shown by htop with the "T" state (which means traced or suspended (e.g by SIGTSTP)) when /proc is mounted with hidepid=2 or hidepid=1.

It happened when I used OBS Studio to create a virtual webcam, which tries to load kernel module v4l2loopback through pkexec call.

In normal context, with MATE desktop environment, a window will pop asking for root password.

However when hidepid is enable, /usr/libexec/polkit-mate-authentication-agent-1 will issue a warning when opening the session (stored in file ~/.materc-errors), such as:

(polkit-mate-authentication-agent-1:16427): polkit-mate-1-WARNING **: Unable to determine the session we are in: No session for pid 16427

(see GH-80 and GH-121)

I recently added the patch GH-423 on top of release 124, same issue.

To reproduce:

  • set hidepid=2 (or =1) option for /proc (mount -o remount,hidepid=2 /proc);
  • connect to your graphical environment (startx, graphical display manager),
  • call pkexec outside a terminal, such as using the key combination Alt+F2 to run an application, example: pkexec modprobe v4l2loopback video_nr=10,11 card_label="Dummy video device","Second video device";
  • the graphical system should freeze, use Ctrl+Alt+F1 to switch to tty1, connect and see the processes are in suspended state.

To leave this broken state, I have to send the signal SIGHUP on process xinit, which closes my whole session.

My objective is to set a working environment with "modern" privileges workflow while keeping the hidepid=2 feature of /proc to ensure privacy and security.
@bluca
Copy link
Member

bluca commented Mar 24, 2024

My objective is to set a working environment with "modern" privileges workflow while keeping the hidepid=2 feature of /proc to ensure privacy and security.

Setting hidepid globally is not a "modern privilege workflow", it's security theater that doesn't provide any real value, and will break a great deal of things. Just don't use it, and instead use service sandboxing.

@thican
Copy link
Author

thican commented Mar 24, 2024

Thanks for your feedback.
While it might have no real security value, nothing else is broken for the 6-7 years I use it, both on server and on desktop environment, and its privacy feature is effective.
At least pkexec should not put any other process in suspended state (not 100% sure if it’s pkexec or the desktop environment’s policykit helper), which is the original point of this report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bluca @thican