From: Oren Laadan <orenl@cs.columbia.edu>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>,
lkml <linux-kernel@vger.kernel.org>,
Linux Containers <containers@lists.osdl.org>
Subject: Re: C/R review
Date: Wed, 18 Mar 2009 05:44:19 -0400 [thread overview]
Message-ID: <49C0C273.4070408@cs.columbia.edu> (raw)
In-Reply-To: <20090318004742.GA14308@us.ibm.com>
Serge E. Hallyn wrote:
> Quoting Alexey Dobriyan (adobriyan@gmail.com):
>>> +Keeping the restart procedure to operate within the limits of the
>>> +caller's credentials means that there various scenarios that cannot
>>> +be supported. For instance, a setuid program that opened a protected
>>> +log file and then dropped privileges will fail the restart, because
>>> +the user won't have enough credentials to reopen the file.
>> That's a bug.
>
> What is described is not a bug, but I think the way it is done is in
> fact a bug.
>
> Note that just because you *can* do the restart without privilege
> doesn't mean that you have to. If you do a restart with privilege,
> then you should be able to open that file, then drop down to the
> original task's uid.
>
> But to say that letting an unprivileged user do restart, and that
> it will only succeed if it can access the resources its allowed to
> access, is bogus.
>
> But I do think the way it's implemented will become buggy and needs to
> be fixed. That is, we do cr_read_task_struct() before we do
> cr_read_files(). So in fact if I'm root doing restart of such a
> checkpoint image, I'll first drop down to uid 500, then open the files.
>
> That would obviously be a bug.
>
> Now, we don't actually restore uids yet in the current code, so
> it's still a theoretical bug :)
Good point. And that's why uid's will be restored at the end :)
(when we get there ...)
Oren.
next prev parent reply other threads:[~2009-03-18 9:44 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-17 21:01 C/R review Alexey Dobriyan
2009-03-18 0:47 ` Serge E. Hallyn
2009-03-18 9:44 ` Oren Laadan [this message]
2009-03-18 10:19 ` Oren Laadan
2009-03-18 16:00 ` Dave Hansen
[not found] ` <49C0CAB9.3080500-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2009-03-18 16:00 ` Dave Hansen
2009-03-18 17:53 ` Dave Hansen
[not found] ` <20090317210110.GA3897-2ev+ksY9ol182hYKe6nXyg@public.gmane.org>
2009-03-18 10:19 ` Oren Laadan
2009-03-18 17:53 ` Dave Hansen
-- strict thread matches above, loose matches on Subject: below --
2009-03-17 21:01 Alexey Dobriyan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49C0C273.4070408@cs.columbia.edu \
--to=orenl@cs.columbia.edu \
--cc=adobriyan@gmail.com \
--cc=containers@lists.osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.