> Von: lxc-users [mailto:[email protected]] Im Auftrag > > Hi! > > I have a small locally written app which performs setuid()/setgid() to a non- > root user, and then calls the lxc C api. > > I noticed that various of the calls would fail, and after sniffing around, I > have a > hint. Before looking into /proc/<pid>/cgroup, the lxclib first checks > /proc/self/cgroup and fails if lacking write access to all it finds. That is > okay > except that /proc/self/cgroup "latches" to the invoking user and does not > change after setuid.
I am not sure, if this is the reason for your problem but special files and SUID binaries can be quite dangerous. Therefore quite strict access limitations might be on those files, some even stricter than implied by file system permission. This was needed to e.g. mitigate privilege escalations via the proc file system, like the one described here https://lwn.net/Articles/476947/ Thus who may open/write what/when might seems quite counter-intuitive. Even open file descriptors may change their behaviour while open due to program calling exec() or set[ug]id. > ... _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
