From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Marshall Subject: Re: permissions bug? (my error) Date: Fri, 27 Jul 2012 17:22:36 +0000 Message-ID: <5012CE5C.40802@ec.gc.ca> References: <5012C970.6050607@ec.gc.ca> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5012C970.6050607-5jPdWwX6g8k@public.gmane.org> Sender: cgroups-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Hi, Sorry for the report. The error was on my part. I did more tests, some not on a cgroups fs and saw the same results. I forgot about the supplemental groups list which contained 0 as one of its members, thus making the operation allowed. John On 07/27/2012 05:01 PM, John Marshall wrote: > Hi, > > I think there is a permissions bug with cgroups. > > In the example below, I am able to create a cgroup directory under /cgroups/jobs > as a non-root user (starting out as root and then calling setgid and setuid, both of > which are effective) without sufficient permissions. Then, if I change the group > write permission to off, I am denied. > > Note: when I try mkdir in a regular login shell as myself, the permissions seem to > work correctly as I am denied, whether on not to group write bit is set. > > This happens on 2.6.32 (ubuntu 10.04) and 3.2.0 (ubuntu 12.04). > > Thanks, > John > > root@mel-fe01:/cgroups# ls -ld /cgroups/jobs > drwxrwxr-x 2 root root 0 Jul 27 15:20 /cgroups/jobs > root@mel-fe01:/cgroups# python > Python 2.6.5 (r265:79063, Apr 16 2010, 13:57:41) > [GCC 4.4.3] on linux2 > Type "help", "copyright", "credits" or "license" for more information. >>>> import os >>>> os.setgid(108) >>>> os.setuid(859) >>>> os.mkdir("/cgroups/jobs/1") >>>> os.rmdir("/cgroups/jobs/1") >>>> > [1]+ Stopped python > root@mel-fe01:/cgroups# chmod g-w /cgroups/jobs > root@mel-fe01:/cgroups# fg > python > > >>>> os.mkdir("/cgroups/jobs/1") > Traceback (most recent call last): > File "", line 1, in > OSError: [Errno 13] Permission denied: '/cgroups/jobs/1' >>>> > root@mel-fe01:/cgroups# uname -a > Linux mel-fe01 2.6.32-38-server #83-Ubuntu SMP Wed Jan 4 11:26:59 UTC 2012 x86_64 GNU/Linux > > -- > To unsubscribe from this list: send the line "unsubscribe cgroups" in > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > More majordomo info at http://vger.kernel.org/majordomo-info.html