From mboxrd@z Thu Jan 1 00:00:00 1970 From: Gao feng Subject: Re: Interaction user namespace, /proc/1 ownership & cap_set Date: Tue, 02 Jul 2013 13:14:59 +0800 Message-ID: <51D261D3.3030002@cn.fujitsu.com> References: <20130701161625.GQ15954@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20130701161625.GQ15954-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Daniel P. Berrange" Cc: Richard Weinberger , containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, Serge Hallyn , "Eric W. Biederman" List-Id: containers.vger.kernel.org On 07/02/2013 12:16 AM, Daniel P. Berrange wrote: > I'm struggling debugging a strange problem with interaction between user > namespaces, cap_set and ownership of files in /proc/1/ > This problem is occured after we call setuid/gid. for example, a task whose pid is 1234 calls setregid(10,10); setreuid(10,10); The uid/gid of the /proc/1234 is 10:0 ll /proc/1234 -d dr-xr-xr-x 8 uucp wheel 0 Jul 2 10:57 /proc/1234 the uid/gid of the files under /proc/1234 are two kinds... ll /proc/1234 dr-xr-xr-x 2 uucp wheel 0 Jul 2 10:58 attr -rw-r--r-- 1 root root 0 Jul 2 10:58 autogroup ... dr-xr-xr-x 5 uucp wheel 0 Jul 2 10:58 net dr-x--x--x 2 root root 0 Jul 2 10:58 ns ... dr-xr-xr-x 3 uucp wheel 0 Jul 2 10:58 task I checked the pre_revalidate and found the owner of the files under /proc/ will be set to the GLOBAL_ROOT_UID if the task executed setuid/setgid(task_dumpable is false). Is this what we expected? why? For user namespace,the owner of /proc/1/* is incorrect and after task call setuid/gid in user namespace, the owner of /proc//* is incorrect too.