[CRIU] [PATCH] security: check_ids - return true if [se]?[ug]id is the same as task id

Pavel Emelyanov xemul at parallels.com
Tue Jun 17 06:35:50 PDT 2014


On 06/17/2014 05:30 PM, Andrew Vagin wrote:
> On Tue, Jun 17, 2014 at 04:15:31PM +0400, Pavel Emelyanov wrote:
>> On 06/17/2014 01:40 PM, Andrew Vagin wrote:
>>
>>> We was talking with you about the third one. Images are created from a
>>> suid user. On restore criu checks that images are belonged to this user.
>>>
>>> Only root can change file owners, so it looks secure.
>>
>> Well, yes. I've already expressed this idea in another sub-thread.
>> Files belonging to root and having no write perms for anyone else
>> are safe to be used as restore images regardless of contents.
> 
> It is not the same. Why they should belong to root? 

To whom? To some other user? This is also insecure.

> Or may be root a code name for suid (Saved User ID)?

What?

Thanks,
Pavel


More information about the CRIU mailing list