Quoting J. Xiao (j...@linux.vnet.ibm.com):
> I checked all the capabilities are up before opening shmmax file.
> If I seteuid to 0, the open succeeds. There seems to be a difference
> between having a root euid and a regular user having root capabilities
> in terms of writing to shmmax file.
Yup, for sysctl files your uid is checked. A simple program to
demonstrate:
#include <stdio.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <sys/capability.h>
#include <errno.h>
void setcaps(void) {
cap_value_t v;
cap_t caps = cap_get_proc();
for (v=0; v<32; v++) {
cap_set_flag(caps, CAP_EFFECTIVE, 1, &v, CAP_SET);
}
cap_set_proc(caps);
}
int main()
{
prctl(PR_SET_KEEPCAPS, 1);
seteuid(1000);
setcaps();
FILE *f = fopen("/proc/sys/kernel/shmmax", "w");
if (f == NULL)
perror("fopen");
else
fclose(f);
printf("I am %d\n", getpid());
sleep(20); // if you want a chance to check /proc/$pid/status
exit(0);
}
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
