Hello Wadih. On Sat, Jan 01, 2022 at 04:41:12PM -0500, Wadih <wadih@xxxxxxxxxxxxxx> wrote: > Is there a way to automatically classify child processes of a process > in a different cgroup than the spawning process with systemd based on > the children's new UID? I know apache2-mpm-itk calls setuid() on its > children, so we would have to somehow hook on that. You can summon the whole PAM machinery and include pam_systemd in the stack which would create a new session scope for the user. (Or do it yourself from the process via DBus call org.freedesktop.systemd1.Manager.StartTransientUnit() that gives you more freedom for that). (Note that to keep the service lifecycle tracking under the name of apache2.service, the forked children should not reparent under PID 1 so that service parent can properly track them.) > I'd like to have the child processes that apache2-mpm-itk spawns go > under their respective user, e.g. > [...] > system.slice/apache2.service/vhosts/%UID% That's an alternative of maintaining the (relative) (sub)hierachy yourself (and it doesn't require special treating wrt apache2.service lifecycle). Note that for this cgroup tree you'd need to specify apache2.service Delegate= directive though. > I've been able to do this with cgrulesengd and cgconfigparser for 3 > years, it's been rock solid. I'm glad it work(s|ed) for you. The asynchronous classification via cgrulesengd is racy and may not be always reliable (wrt resource control). It's much better to do fork-classify-exec or fork(CLONE_INTO_CGROUP)-exec synchronously in the migrated task. > Would the only solution for me to create a daemon which monitors for > setuid() calls of the parent apache process, and classify the children > as per the new setuid user? I'd discourage you of going the path of cgrulesengd again. (And cgroupify too :-p) > Or perhaps, I think root parent processes spawning specific UID > children is a common security practise, perhaps there should be > something in systemd out of the box for classifying the children under > their respective cgroups? Yes, on the low level it's the StartTransientUnit() DBus call or its specialized extensions for logind or machinectl. > If my only solution is to create a daemon which monitors for setuid() > I'll do it, although I've never done it before, not sure where I'd have > to start. Any guidance would be great! More viable way seems to me to modify the apache2-mpm-itk to put children into respective cgroups. HTH, Michal
Re: Automatically moving forked processes in a different cgroup based on children's UID
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Automatically moving forked processes in a different cgroup based on children's UID
- From: Michal Koutný <mkoutny@xxxxxxxx>
- Date: Fri, 7 Jan 2022 15:11:40 +0100
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <f1550c7196ea42b6565dd739f9959f92ad7bb24e.camel@systemesmw.com>
- References: <f1550c7196ea42b6565dd739f9959f92ad7bb24e.camel@systemesmw.com>
- User-agent: Mutt/1.10.1 (2018-07-13)
- Follow-Ups:
- Re: Automatically moving forked processes in a different cgroup based on children's UID
- From: Mantas Mikulėnas
- Re: Automatically moving forked processes in a different cgroup based on children's UID
- References:
- Prev by Date: Re: eth2: Failed to rename network interface 6 from 'eth2' to 'eno1': File exists
- Next by Date: How to check watchdog status?
- Previous by thread: Re: Automatically moving forked processes in a different cgroup based on children's UID
- Next by thread: Re: Automatically moving forked processes in a different cgroup based on children's UID
- Index(es):
 |