[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#925552: release-notes: document problems with hidepid vs Buster systemd

Package: release-notes
Severity: wishlist
Tags: patch

The "hidepid" mount-options for /proc (as recommended by various
online hardening HOWTOs) work with Stretch but cause problems on
Buster, and are considered an unsupported configuration by systemd
upstream - see #819808, #892585, #897654.  So users should probably be
advised to disable hidepid before doing a dist-upgrade.

Proposed text for issues.dbk:

  <section id="hidepid-unsupported">
    <!-- stretch to buster-->
    <title>Hidepid mount options for procfs unsupported</title>
    <para>
      The hidepid mount options to <filename>/proc</filename> are known to cause
      problems with current versions of systemd, and are considered by systemd
      upstream to be an unsupported configuration. Users who have modified
      <filename>/etc/fstab</filename> to enable these options are advised to
      disable them before the upgrade, to ensure login sessions work on
      &releasename;. (A possible route to re-enabling them is outlined on the
      wiki's <ulink
      url="https://wiki.debian.org/Hardening#Mounting_.2Fproc_with_hidepid";>Hardening</ulink>
      page.)
    </para>
  </section>

I can't claim to have tested the advice on that Hardening link on a
modern laptop running GNOME-on-wayland with pulseaudio and udisks2 and
network-manager and so on, but if it's wrong, we should correct the
wiki rather than the pointer.

-- System Information:
Debian Release: 9.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package

diff --git a/en/issues.dbk b/en/issues.dbk
index 35841ee6..b69e7dbe 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -39,6 +39,22 @@ information mentioned in <xref linkend="morereading"/>.
     </para>
   </section>
 
+  <section id="hidepid-unsupported">
+    <!-- stretch to buster-->
+    <title>Hidepid mount options for procfs unsupported</title>
+    <para>
+      The hidepid mount options to <filename>/proc</filename> are known to cause
+      problems with current versions of systemd, and are considered by systemd
+      upstream to be an unsupported configuration. Users who have modified
+      <filename>/etc/fstab</filename> to enable these options are advised to
+      disable them before the upgrade, to ensure login sessions work on
+      &releasename;. (A possible route to re-enabling them is outlined on the
+      wiki's <ulink
+      url="https://wiki.debian.org/Hardening#Mounting_.2Fproc_with_hidepid";>Hardening</ulink>
+      page.)
+    </para>
+  </section>
+
   <section id="noteworthy-obsolete-packages" condition="fixme">
     <title>Noteworthy obsolete packages</title>
     <para>
Reply to: