GRKERNSEC_CHROOT_NICE and su

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

GRKERNSEC_CHROOT_NICE and su

Postby aldee » Tue Jan 23, 2007 6:26 pm

Activating "nice protection" causes nice'd su calls to fail, as it is apparently assumed that the called process was located outside the chroot environment (at least the description for the GRKERNSEC_CHROOT_NICE option makes me believe so). I've been scratching my head for a while now, why that is so.

Example:
Code: Select all
nice su nobody -c "/bin/true"
being called from a chrooted process will raise an
Code: Select all
setpriority(PRIO_PROCESS, 0, 0)         = -1 EACCES (Permission denied)
error while
Code: Select all
su nobody -c "nice /bin/true"
works as expected.

I always assumed, that the root of the file system would be inherited by any sub processes no matter what (and regardless of setuid / setgid calls). I stumbled across this one while trying to find out why the updatedb script failed when being spawned by a changerooted cron daemon. Admittedly, it's trivial to work around, but could anybody give me a small push into the right direction as to why the behaviour occurs (maybe PAM related?)?
aldee
 
Posts: 25
Joined: Tue Aug 15, 2006 11:41 am

Return to grsecurity support