Hi Helge, On 12/4/22 10:07, Helge Kreutzmann wrote:
Without further ado, the following was found: Issue: user ID → UID
IMO, (and I believe Branden will agree), user ID is more informative than UID. If any change, I'd apply some consistency in the other direction (don't know how much inconsistent the pages are regarding that): UID -> user ID.
So, WONTFIX. Thanks for the reports! Cheers, Alex
"We have a cgroup directory, I</cg/1>, that is owned by user ID 9000." > "We have a process, I<X>, also owned by user ID 9000, that is namespaced" "under the cgroup I</cg/1/2> (i.e., I<X> was placed in a new cgroup namespace" "via B<clone>(2) or B<unshare>(2) with the B<CLONE_NEWCGROUP> flag)." "In the absence of cgroup namespacing, because the cgroup directory I</cg/1>" "is owned (and writable) by UID 9000 and process I<X> is also owned by user" "ID 9000, process I<X> would be able to modify the contents of cgroups files" "(i.e., change cgroup settings) not only in I</cg/1/2> but also in the" "ancestor cgroup directory I</cg/1>. Namespacing process I<X> under the" "cgroup directory I</cg/1/2>, in combination with suitable mount operations" "for the cgroup filesystem (as shown above), prevents it modifying files in" "I</cg/1>, since it cannot even see the contents of that directory (or of" "further removed cgroup ancestor directories). Combined with correct" "enforcement of hierarchical limits, this prevents process I<X> from escaping" "the limits imposed by ancestor cgroups." "In the absence of cgroup namespacing, because the cgroup directory I</cg/1>" "is owned (and writable) by UID 9000 and process I<X> is also owned by user" "ID 9000, then process I<X> would be able to modify the contents of cgroups" "files (i.e., change cgroup settings) not only in I</cg/1/2> but also in the" "ancestor cgroup directory I</cg/1>. Namespacing process I<X> under the" "cgroup directory I</cg/1/2>, in combination with suitable mount operations" "for the cgroup filesystem (as shown above), prevents it modifying files in" "I</cg/1>, since it cannot even see the contents of that directory (or of" "further removed cgroup ancestor directories). Combined with correct" "enforcement of hierarchical limits, this prevents process I<X> from escaping" "the limits imposed by ancestor cgroups."
-- <http://www.alejandro-colomar.es/>
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
