[lxc-users] /proc/self/cgroup after setuid
Chaetoo3
Chaetoo3 at protonmail.com
Fri Jun 29 18:31:47 UTC 2018
On June 29, 2018 7:47 AM, Fiedler Roman <Roman.Fiedler at ait.ac.at> wrote:
> I am not sure, if this is the reason for your problem but special files and SUID
> binaries can be quite dangerous. Therefore quite strict access limitations might
Yes... I agree, that is true. This is just for my own use.
Anyway it still seems weird to me that calling into the lxc API would need write permissions to /proc/self/cgroup controllers, when it shouldn't write those (I think?), but instead should want to write to /proc/<pid-for-container-something>/cgroup controllers.
Without that requirement, I believe what I'm doing would work. I have encapsulated my non-priv containers under a dedicated user, so if something escapes container, it will not see my normal user data. Then I added my normal user to the container user's group. This works: I can "sudo containeruser lxc-something" from my normal user and manage the containers via command line. It's only if I have code which setuid() to get to the same container uid, then I have trouble.
More information about the lxc-users
mailing list