[CRIU] Cannot restore from regular user when RPC service running as root
Pavel Emelyanov
xemul at parallels.com
Mon Jan 19 02:02:01 PST 2015
On 01/16/2015 11:33 PM, Jason L. Turner wrote:
> Hi Ruslan,
>
> That's no problem, hopefully my answers can help.
>
> Yes that restore log is the original from when I ran my program.
>
> I built CRIU from source, it is not from a package.
>
> When running "which criu" it shows,
>
> "/opt/CRIU-v1-4/criu/deps/criu-x86_64/criu"
>
> When running "ls -la $(which criu)" it shows,
>
> "-rwxrwxr-x 1 jturner dev 904201 2015-01-18 09:09 /opt/CRIU-v1-4/criu/deps/criu-x86_64/criu"
I guess this is the reason for failure.
The thing is that criu_restore_child() doesn't use the service, because in Linux it's
not possible to create a process with _arbitrary_ parent and if we ask service to restore
from images it will restore the tree as _its_ child, not as requester's one.
So the criu_restore_child() fork()-s and exec()-s CRIU binary and ask _it_ to restore the
tree with special flag called CLONE_PARENT. The result of this action is the tree restored
as criu's sibling, i.e. -- the caller's kid.
So, since criu binary is owned by non-root it doesn't have the required capabilities.
To fix that criu should be owned by root and the suid bit should be set.
I guess we've paid too little attention to our C-API recently :) Time to improve. Ruslan,
may I ask you to fix the documentation (and when required the code) according to what we
find with Jason's help?
> I am sure that the service was started with the correct criu as the "which criu" command returns
> the same when run from the root user as well as my linking as it links to the lib directory in the
> path shown above.
>
> Jason
Thanks,
Pavel
More information about the CRIU
mailing list