[CRIU] CRIU needs root privileges?
Adrian Reber
adrian at lisas.de
Wed Oct 30 01:00:31 MSK 2019
On Tue, Oct 29, 2019 at 03:42:27PM -0400, Eliot Moss wrote:
> On 10/29/2019 12:19 PM, Adrian Reber wrote:
> > On Mon, Oct 28, 2019 at 10:38:42PM -0400, Eliot Moss wrote:
> > >
> > > If you go back through recent posts, you'll see that as part of one question,
> > > I also asked about whether CRIU should need to be run as root. In my tests,
> > > it could not take a checkpoint if I did not use sudo.
> > >
> > > Should that be the case? Or is it something about my jobs?
> >
> > As far as I remember there has been an effort to run CRIU as non-root,
> > but currently you need to run CRIU as root. There are definitely still
> > some things missing in the kernel to have CRIU run as non-root.
> >
> > > Also, are there risks to setting up CRIU as setuid-to-root?
> >
> > There are always risks running anything as setuid ;)
>
> Thank you, Adrian!
>
> Yes, there are always risks - I should perhaps rephrase. Is it
> considered appropriate by the developer / user community of CRIU
> that it should (currently) be setup as setuid root, or should we
> insure that programs/users invoking CRIU have sudo privileges?
Both approaches are dangerous. If you allow any user to run CRIU as root
you basically giving root to everyone on that system. Depends on your
system and use case, but it sounds problematic.
Adrian
More information about the CRIU
mailing list