Mayur Shingare

TECH

Hidepid breaks KDE Polkit Authentication Agent

If you recently enabled hidepid, you may have noticed some weird errors when opening applications that require super user permissions.
Mayur Shingare

As a part of hardening your Linux, you may enable hidepid option for /proc. But this breaks the interactive authentication provided by the KDE Polkit Authentication Agent. KDE Plasma no longer asks for sudo password.

Symptoms

Error enabling firewall: Interactive authentication required.

Scanning for errors in journalctl for firewalld, you may find -

May 11 20:22:03 arch kcmshell5[6935]: firewalld.client: Job Error:  100 "Interactive authentication required."
May 11 20:22:44 arch kcmshell5[6966]: firewalld.client: Job Error:  100 "Interactive authentication required."

The interactive authentication window is generated by polkit-kde-authentication-agent. It fails to start. Looking into journalctl shows the below error -

May 11 20:05:34 arch polkit-kde-authentication-agent-1[709]: "Cannot create unix session: No session for pid 709" 
May 11 20:05:34 arch polkit-kde-authentication-agent-1[709]: "Cannot register authentication agent!" 
May 11 20:05:34 arch polkit-kde-authentication-agent-1[709]: Authentication agent result: false 
May 11 20:05:34 arch polkit-kde-authentication-agent-1[709]: Couldn't register listener!

The easiest solution is to disable hidepid for /proc again.