[systemd-devel] Regression in v40? User session inside a unit.
Lennart Poettering
lennart at poettering.net
Wed Mar 14 10:10:27 PDT 2012
On Mon, 12.03.12 14:28, Colin Guthrie (gmane at colin.guthr.ie) wrote:
> > It is a security feature. However, what is key here is that leaving a
> > control group is a privileged operation. That's how things work on Unix:
> > if you are root you can do whatever you want. You have the right to
> > ptrace anything, you can dump the whole system memory, you have the full
> > power over everything. On Unix, there is no further access control
> > enforced if you managed to become root, and that does make a lot of
> > sense that way (well, with capabilities you can make root privs more
> > finegrained, but that's besides the point, because to be true root you
> > have all caps).
>
> Ahh I see, so the only reason my test case could "escape" the cgroup is
> because it was obviously root at the time it made a run for it.
Yes,
> Now that it's properly got the User=apache declaration in the unit,
> issuing further su commands will not result in any escape.
Well, su is suid root, so it will execute pam_systemd as root and hence
allow the "escape". (But that said I wouldn't call this "escape"
anyway. It's more of a "regrouping" done by systemd following defined
rules.)
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list