Hi!
I have a small locally written app which performs setuid()/setgid() to a
non-root user, and then calls the lxc C api.
I noticed that various of the calls would fail, and after sniffing around, I
have a hint. Before looking into /proc/<pid>/cgroup, the lxclib first checks
/proc/self/cgroup and fails if lacking write access to all it finds. That is
okay except that /proc/self/cgroup "latches" to the invoking user and does not
change after setuid.
An example from the shell (but it's the same story), cat /proc/self/cgroup
shows me controllers like this:
4:pids:/user.slice/user-1000.slice/session-3.scope
where 1000 is my own user ID who started the cat. If I do the same via code
but first setuid(1005), it still show as user-1000, which the 1005 user has not
permissions to write the controllers. Then fail.
If my app has its own PID, which isn't the PID of the container, I don't
understand why it would be needed to write to /proc/self/cgroup controllers.
Or maybe that /proc/somepid/cgroup file should be updated by the OS after
somepid does setuid? I'm not sure. Or maybe lxclib could tolerate this better
and only need writing to /proc/pid/cgroup controllers? Anyway from the C api
seems like it should never need to write to self, only to the one for the right
PID.
I am just learning all these things. Anyone knows of a workaround to this? Or
someway I am thinking wrong?
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
