On Mon, 12.03.12 14:28, Colin Guthrie ([email protected]) wrote: > > It is a security feature. However, what is key here is that leaving a > > control group is a privileged operation. That's how things work on Unix: > > if you are root you can do whatever you want. You have the right to > > ptrace anything, you can dump the whole system memory, you have the full > > power over everything. On Unix, there is no further access control > > enforced if you managed to become root, and that does make a lot of > > sense that way (well, with capabilities you can make root privs more > > finegrained, but that's besides the point, because to be true root you > > have all caps). > > Ahh I see, so the only reason my test case could "escape" the cgroup is > because it was obviously root at the time it made a run for it.
Yes, > Now that it's properly got the User=apache declaration in the unit, > issuing further su commands will not result in any escape. Well, su is suid root, so it will execute pam_systemd as root and hence allow the "escape". (But that said I wouldn't call this "escape" anyway. It's more of a "regrouping" done by systemd following defined rules.) Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
