A couple of days ago I turned on
hidepid=2
for the /proc mount on my desktop PC. Today I saw the systemd-userdbd
service failing on bootup, and realized that it had been failing to start for a
few days. Aside from the fact that there really should be a well-supported and
easy way to notify administrators of failing units, this obviously needed some
investigation.
systemctl status systemd-userdbd.service wasn’t very helpful, but journalctl
had the specific error:
[..] spawning /lib/systemd/systemd-userdbd: Read-only file system
I didn’t immediately jump to the conclusion that this had to do with enabling
hidepid=2. After all, why would that result in a read-only file system?
Investigating a failure very early on in boot is a pain, so instead of wasting
my time on that I took to GitHub issues.
As it turns out, hidepid= is just
not supported
at all
in systemd. This doesn’t seem to be pointed out anywhere, and I certainly was
not aware of it before. Services can set
ProtectProc=,
but there doesn’t seem to be a clean way of restricting /proc for unprivileged
users like a global hidepid=2 did. I’ve removed the option for now.