Package: release-notes
Severity: wishlist
Tags: patch
The "hidepid" mount-options for /proc (as recommended by various
online hardening HOWTOs) work with Stretch but cause problems on
Buster, and are considered an unsupported configuration by systemd
upstream - see #819808, #892585, #897654. So users should probably be
advised to disable hidepid before doing a dist-upgrade.
Proposed text for issues.dbk:
<section id="hidepid-unsupported">
<!-- stretch to buster-->
<title>Hidepid mount options for procfs unsupported</title>
<para>
The hidepid mount options to <filename>/proc</filename> are known to cause
problems with current versions of systemd, and are considered by systemd
upstream to be an unsupported configuration. Users who have modified
<filename>/etc/fstab</filename> to enable these options are advised to
disable them before the upgrade, to ensure login sessions work on
&releasename;. (A possible route to re-enabling them is outlined on the
wiki's <ulink
url="https://wiki.debian.org/Hardening#Mounting_.2Fproc_with_hidepid";>Hardening</ulink>
page.)
</para>
</section>
I can't claim to have tested the advice on that Hardening link on a
modern laptop running GNOME-on-wayland with pulseaudio and udisks2 and
network-manager and so on, but if it's wrong, we should correct the
wiki rather than the pointer.
-- System Information:
Debian Release: 9.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
diff --git a/en/issues.dbk b/en/issues.dbk
index 35841ee6..b69e7dbe 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -39,6 +39,22 @@ information mentioned in <xref linkend="morereading"/>.
</para>
</section>
+ <section id="hidepid-unsupported">
+ <!-- stretch to buster-->
+ <title>Hidepid mount options for procfs unsupported</title>
+ <para>
+ The hidepid mount options to <filename>/proc</filename> are known to cause
+ problems with current versions of systemd, and are considered by systemd
+ upstream to be an unsupported configuration. Users who have modified
+ <filename>/etc/fstab</filename> to enable these options are advised to
+ disable them before the upgrade, to ensure login sessions work on
+ &releasename;. (A possible route to re-enabling them is outlined on the
+ wiki's <ulink
+ url="https://wiki.debian.org/Hardening#Mounting_.2Fproc_with_hidepid";>Hardening</ulink>
+ page.)
+ </para>
+ </section>
+
<section id="noteworthy-obsolete-packages" condition="fixme">
<title>Noteworthy obsolete packages</title>
<para>
