[CRIU] [PATCH] security: set suid flag on crtools and check real uid on dump/restore
Ruslan Kuprieiev
kupruser at gmail.com
Wed Oct 2 06:54:04 PDT 2013
On 02.10.2013 13:25, Pavel Emelyanov wrote:
> On 10/02/2013 05:00 PM, Ruslan Kuprieiev wrote:
>> Hi!
>>
>> Lets set suid flag on crtools, so non-root users could dump/restore
>> their own tasks and start service for their own tasks. On start criu
>> will get it's real uid and will allow user to dump/restore only tasks
>> that he own.
>>
>> Signed-off-by: Ruslan Kuprieiev <kupruser at gmail.com>
>>
> I don't quite understand the logic behind security_init() + restrict_uid()
> and the need in two uids stores in security.c
I think we can extend security_init later with some extra features (but
I don't know with which, though:)). Also checkpatch.pl was mad about
initializing static variables with zeros:).
And restrict_uid() will be used very often in cr
I think we may need to remember real uid, so if non-root will start
service, he won't be able to change his "effective" uid and dump/restore
tasks with other uids. It looks better to me, than resolving this
situation in cr-service. Also i do think that ruid may be in handy later.
Or just use getuid() every time, instead of declaring second uid?
More information about the CRIU
mailing list