Justin B Rye
2019-03-26 18:20:02 UTC
Package: release-notes
Severity: wishlist
Tags: patch
The "hidepid" mount-options for /proc (as recommended by various
online hardening HOWTOs) work with Stretch but cause problems on
Buster, and are considered an unsupported configuration by systemd
upstream - see #819808, #892585, #897654. So users should probably be
advised to disable hidepid before doing a dist-upgrade.
Proposed text for issues.dbk:
<section id="hidepid-unsupported">
<!-- stretch to buster-->
<title>Hidepid mount options for procfs unsupported</title>
<para>
The hidepid mount options to <filename>/proc</filename> are known to cause
problems with current versions of systemd, and are considered by systemd
upstream to be an unsupported configuration. Users who have modified
<filename>/etc/fstab</filename> to enable these options are advised to
disable them before the upgrade, to ensure login sessions work on
&releasename;. (A possible route to re-enabling them is outlined on the
wiki's <ulink
url="https://wiki.debian.org/Hardening#Mounting_.2Fproc_with_hidepid">Hardening</ulink>
page.)
</para>
</section>
I can't claim to have tested the advice on that Hardening link on a
modern laptop running GNOME-on-wayland with pulseaudio and udisks2 and
network-manager and so on, but if it's wrong, we should correct the
wiki rather than the pointer.
-- System Information:
Debian Release: 9.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Severity: wishlist
Tags: patch
The "hidepid" mount-options for /proc (as recommended by various
online hardening HOWTOs) work with Stretch but cause problems on
Buster, and are considered an unsupported configuration by systemd
upstream - see #819808, #892585, #897654. So users should probably be
advised to disable hidepid before doing a dist-upgrade.
Proposed text for issues.dbk:
<section id="hidepid-unsupported">
<!-- stretch to buster-->
<title>Hidepid mount options for procfs unsupported</title>
<para>
The hidepid mount options to <filename>/proc</filename> are known to cause
problems with current versions of systemd, and are considered by systemd
upstream to be an unsupported configuration. Users who have modified
<filename>/etc/fstab</filename> to enable these options are advised to
disable them before the upgrade, to ensure login sessions work on
&releasename;. (A possible route to re-enabling them is outlined on the
wiki's <ulink
url="https://wiki.debian.org/Hardening#Mounting_.2Fproc_with_hidepid">Hardening</ulink>
page.)
</para>
</section>
I can't claim to have tested the advice on that Hardening link on a
modern laptop running GNOME-on-wayland with pulseaudio and udisks2 and
network-manager and so on, but if it's wrong, we should correct the
wiki rather than the pointer.
-- System Information:
Debian Release: 9.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package