[lxc-users] /proc/self/cgroup after setuid
Chaetoo3
Chaetoo3 at protonmail.com
Fri Jun 29 00:45:56 UTC 2018
Hi!
I have a small locally written app which performs setuid()/setgid() to a non-root user, and then calls the lxc C api.
I noticed that various of the calls would fail, and after sniffing around, I have a hint. Before looking into /proc/<pid>/cgroup, the lxclib first checks /proc/self/cgroup and fails if lacking write access to all it finds. That is okay except that /proc/self/cgroup "latches" to the invoking user and does not change after setuid.
An example from the shell (but it's the same story), cat /proc/self/cgroup shows me controllers like this:
4:pids:/user.slice/user-1000.slice/session-3.scope
where 1000 is my own user ID who started the cat. If I do the same via code but first setuid(1005), it still show as user-1000, which the 1005 user has not permissions to write the controllers. Then fail.
If my app has its own PID, which isn't the PID of the container, I don't understand why it would be needed to write to /proc/self/cgroup controllers. Or maybe that /proc/somepid/cgroup file should be updated by the OS after somepid does setuid? I'm not sure. Or maybe lxclib could tolerate this better and only need writing to /proc/pid/cgroup controllers? Anyway from the C api seems like it should never need to write to self, only to the one for the right PID.
I am just learning all these things. Anyone knows of a workaround to this? Or someway I am thinking wrong?
More information about the lxc-users
mailing list