max connections per control group (cgroup)
Lennart Poettering
mzqohf at 0pointer.de
Wed Aug 13 10:11:54 PDT 2014
On Wed, 06.08.14 11:55, Colin Walters (walters at verbum.org) wrote:
>
> On Wed, Aug 6, 2014, at 10:16 AM, Alban Crequy wrote:
>
> > With the development of cgroups and systemd, system services and session
> > services start in different cgroups. However, cgroups are not a security
> > boundary: a process can freely be moved from a cgroup to another cgroup
> > by an
> > unprivileged user if the user moving the process is the same as the
> > destination
> > cgroup.
>
> I think we should be looking at scopes or services, not the topmost
> cgroup. Even if an unprivileged uid was able to migrate within their
> login session, they shouldn't be able to escape their login scope.
I can agree with this. It's the "unit" that should be watched, as that's
the only trustable boundary really, since it's only controlled by
root. You can even query it easily via libsystemd's sd_pid_get_unit()...
Lennart
--
Lennart Poettering, Red Hat
More information about the dbus
mailing list