[lxc-users] /proc/self/cgroup after setuid

Chaetoo3 Chaetoo3 at protonmail.com
Fri Jun 29 18:31:47 UTC 2018


On June 29, 2018 7:47 AM, Fiedler Roman <Roman.Fiedler at ait.ac.at> wrote:


> I am not sure, if this is the reason for your problem but special files and SUID
> binaries can be quite dangerous. Therefore quite strict access limitations might

Yes... I agree, that is true.  This is just for my own use.

Anyway it still seems weird to me that calling into the lxc API would need write permissions to /proc/self/cgroup controllers, when it shouldn't write those (I think?), but instead should want to write to /proc/<pid-for-container-something>/cgroup controllers.

Without that requirement, I believe what I'm doing would work.  I have encapsulated my non-priv containers under a dedicated user, so if something escapes container, it will not see my normal user data.  Then I added my normal user to the container user's group.  This works: I can "sudo containeruser lxc-something" from my normal user and manage the containers via command line.  It's only if I have code which setuid() to get to the same container uid, then I have trouble.




More information about the lxc-users mailing list