[CRIU] Security issues
Matthias Neuer
matthias.neuer at uni-ulm.de
Wed Dec 14 00:17:31 PST 2016
Hi,
I want to use criu to checkpoint and restart user processes.
Unfortunately starting the criu daemon as a user process does not work
because the restore fails as the user lacks the permission to restart
the process with the old pid. I'm not sure if this problem can be solved
easily.
So I need to start the criu daemon with root permissions. In my opinion
this produces at least two security risks:
1. A user can dump a root process. I tested this with version 2.3 and
2.9 and it seems to work although on https://criu.org/Security it says
that it should not work.
2. The fact that you know the filename and the location of the dump file
the criu daemon writes can be used for a symlink attack.
Can I start the criu service with some options to solve these problems?
Thanks
--
Matthias Neuer
Universität Ulm
kiz / Abteilung Infrastruktur
More information about the CRIU
mailing list