GRKERNSEC_CHROOT_NICE and su
Posted: Tue Jan 23, 2007 6:26 pmActivating "nice protection" causes nice'd su calls to fail, as it is apparently assumed that the called process was located outside the chroot environment (at least the description for the GRKERNSEC_CHROOT_NICE option makes me believe so). I've been scratching my head for a while now, why that is so.
Example:
I always assumed, that the root of the file system would be inherited by any sub processes no matter what (and regardless of setuid / setgid calls). I stumbled across this one while trying to find out why the updatedb script failed when being spawned by a changerooted cron daemon. Admittedly, it's trivial to work around, but could anybody give me a small push into the right direction as to why the behaviour occurs (maybe PAM related?)?
Example:
- Code: Select all
nice su nobody -c "/bin/true"
- Code: Select all
setpriority(PRIO_PROCESS, 0, 0) = -1 EACCES (Permission denied)
- Code: Select all
su nobody -c "nice /bin/true"
I always assumed, that the root of the file system would be inherited by any sub processes no matter what (and regardless of setuid / setgid calls). I stumbled across this one while trying to find out why the updatedb script failed when being spawned by a changerooted cron daemon. Admittedly, it's trivial to work around, but could anybody give me a small push into the right direction as to why the behaviour occurs (maybe PAM related?)?