[systemd-devel] User sessions: limit the ability to migrate cgroups

Lennart Poettering lennart at poettering.net
Wed Aug 13 07:37:17 PDT 2014

On Thu, 07.08.14 15:19, Alban Crequy (alban.crequy at collabora.co.uk) wrote:

> Hi,
> Should unprivileged processes be allowed to change cgroup?

Well, they shouldn#t do it. But I think it's OK as long as this is only
done within the specific user's hierarchies.

> As I understand it, it is not possible to block processes to
> leave a cgroup, but only to block processes to enter a cgroup.


> In the following example, session-c4.scope/tasks belongs to root:root
> with -rw-r--r-- and user at 1000.service/tasks belongs to user:user with
> -rw-r--r--.

Yes, this is because systemd --user needs to be able to manage its own
cgroup subtree, so we have to open this up for the user at 1000.service
service, but keep it restricted otherwise...

> So processes can freely move from session-c4.scope to
> user at 1000.service. But not in the other direction.

> $ systemd-cgls
> Working Directory /sys/fs/cgroup/systemd/user.slice/user-1000.slice:
> ├─session-c4.scope
> │ ├─713 sshd: user [priv]  
> │ ├─722 sshd: user at pts/2   
> │ ├─723 -bash
> │ ├─732 systemd-cgls
> │ └─733 pager
> ├─user at 1000.service
> │ ├─406 /lib/systemd/systemd --user
> With user sessions managed by systemd, will it be possible to restrict
> unprivileged users from migrating to other cgroups?

Unlikely. Access control on Unix is generally bound to user IDs, not
processes, and we really shouldn't start here with departing from that...


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list