Hi,
Sorry for the report. The error was on my part.
I did more tests, some not on a cgroups fs and saw the same
results. I forgot about the supplemental groups list which
contained 0 as one of its members, thus making the operation
allowed.
John
On 07/27/2012 05:01 PM, John Marshall wrote:
Hi,
I think there is a permissions bug with cgroups.
In the example below, I am able to create a cgroup directory under /cgroups/jobs
as a non-root user (starting out as root and then calling setgid and setuid, both of
which are effective) without sufficient permissions. Then, if I change the group
write permission to off, I am denied.
Note: when I try mkdir in a regular login shell as myself, the permissions seem to
work correctly as I am denied, whether on not to group write bit is set.
This happens on 2.6.32 (ubuntu 10.04) and 3.2.0 (ubuntu 12.04).
Thanks,
John
root@mel-fe01:/cgroups# ls -ld /cgroups/jobs
drwxrwxr-x 2 root root 0 Jul 27 15:20 /cgroups/jobs
root@mel-fe01:/cgroups# python
Python 2.6.5 (r265:79063, Apr 16 2010, 13:57:41)
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
import os
os.setgid(108)
os.setuid(859)
os.mkdir("/cgroups/jobs/1")
os.rmdir("/cgroups/jobs/1")
[1]+ Stopped python
root@mel-fe01:/cgroups# chmod g-w /cgroups/jobs
root@mel-fe01:/cgroups# fg
python
os.mkdir("/cgroups/jobs/1")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: [Errno 13] Permission denied: '/cgroups/jobs/1'
root@mel-fe01:/cgroups# uname -a
Linux mel-fe01 2.6.32-38-server #83-Ubuntu SMP Wed Jan 4 11:26:59 UTC 2012 x86_64 GNU/Linux
--
To unsubscribe from this list: send the line "unsubscribe cgroups" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe cgroups" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
