[CRIU] Checkpoint/restore as non-root user

Pavel Emelyanov xemul at parallels.com
Fri Oct 17 04:56:07 PDT 2014


On 10/16/2014 04:48 PM, Filipe Brandenburger wrote:
> Hi Pavel,
> 
> Following up on it, the idea here is to see how much we could do in criu to dump/restore
> an image without requiring (real) root privileges.
> 
> So, one point you raised was that to set the pid we need root, but maybe we could do that
> inside a user namespace and maybe patch the kernel to allow userns root to set the pids 
> inside the pidns?

I was thinking about it. The thing is that switching something in kernel from capable()
to ns_capable() effectively means allowing thing for everyone :) I think that kernel guys
would ask to make this ns_capable() check be per-pid-namespace, so that a user that
wants to create tasks with given PIDs only affects his the PID namespace that was created
after the user-ns.

> You mentioned the concern of the user modifying an image on disk and restoring it, but in
> a sense that's akin to attaching gdb to a process and modifying its memory and that's already
> possible without root, right?

Almost. There are bits in creds.img files with UIDs, GIDs and capabilities. Restoring those
in the arbitrary state should not be allowed, but IIRC we have addressed this in security
checks. So yes, it should be OK.

> Do you think it would be a good feature to exploit? Even if we can't support everything (e.g.
> ttys) I think it would be useful in many cases.

Yes, I was asked some time ago can we make CRIU not root-only, so this definitely would
be a useful feature.

Thanks,
Pavel




More information about the CRIU mailing list