[lxc-users] /proc/self/cgroup after setuid

Chaetoo3 Chaetoo3 at protonmail.com
Fri Jun 29 00:45:56 UTC 2018


Hi!

I have a small locally written app which performs setuid()/setgid() to a non-root user, and then calls the lxc C api.

I noticed that various of the calls would fail, and after sniffing around, I have a hint.  Before looking into /proc/<pid>/cgroup, the lxclib first checks /proc/self/cgroup and fails if lacking write access to all it finds.  That is okay except that /proc/self/cgroup "latches" to the invoking user and does not change after setuid.

An example from the shell (but it's the same story), cat /proc/self/cgroup shows me controllers like this:

    4:pids:/user.slice/user-1000.slice/session-3.scope

where 1000 is my own user ID who started the cat.  If I do the same via code but first setuid(1005), it still show as user-1000, which the 1005 user has not permissions to write the controllers.  Then fail.

If my app has its own PID, which isn't the PID of the container, I don't understand why it would be needed to write to /proc/self/cgroup controllers.   Or maybe that /proc/somepid/cgroup file should be updated by the OS after somepid does setuid? I'm not sure.  Or maybe lxclib could tolerate this better and only need writing to /proc/pid/cgroup controllers?  Anyway from the C api seems like it should never need to write to self, only to the one for the right PID.

I am just learning all these things.  Anyone knows of a workaround to this? Or someway I am thinking wrong?




More information about the lxc-users mailing list