[lxc-users] /proc/self/cgroup after setuid
Fiedler Roman
Roman.Fiedler at ait.ac.at
Fri Jun 29 07:47:11 UTC 2018
> Von: lxc-users [mailto:lxc-users-bounces at lists.linuxcontainers.org] Im Auftrag
>
> Hi!
>
> I have a small locally written app which performs setuid()/setgid() to a non-
> root user, and then calls the lxc C api.
>
> I noticed that various of the calls would fail, and after sniffing around, I have a
> hint. Before looking into /proc/<pid>/cgroup, the lxclib first checks
> /proc/self/cgroup and fails if lacking write access to all it finds. That is okay
> except that /proc/self/cgroup "latches" to the invoking user and does not
> change after setuid.
I am not sure, if this is the reason for your problem but special files and SUID
binaries can be quite dangerous. Therefore quite strict access limitations might
be on those files, some even stricter than implied by file system permission.
This was needed to e.g. mitigate privilege escalations via the proc file system,
like the one described here https://lwn.net/Articles/476947/
Thus who may open/write what/when might seems quite counter-intuitive. Even
open file descriptors may change their behaviour while open due to program
calling exec() or set[ug]id.
> ...
More information about the lxc-users
mailing list