Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Process existence or/and permission
Top Forums Shell Programming and Scripting Process existence or/and permission Post 302999927 by bakunin on Friday 30th of June 2017 05:24:58 AM
Old 06-30-2017
To me this looks like the result of /proc having rather weird permissions. What does

Code:
ls -ld /proc

show? Because if it is flagged "0" (oct) for "others" you can't even see directory entries in there except for the ones you are directly permitted to (by their own permissions).

I just checked with a system running kernel "3.0.101-97-default" (according to uname, some old SLES, i believe) and the output was

Code:
# ls -ld /proc
dr-xr-xr-x 182 root root 0 Jun 27 20:03 /proc

So users are able to see the directory entries in there, even if they are not permitted to access them.

I hope this helps.

bakunin
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Loop for file existence

I wasn't sure if I should post it here of in the Shell Script category, but I figured it was definitely a newbie question. I'm trying to write a script that will check for the existence of a specific file (or for any files within the directory) and then take specific actions. I've removed all... (2 Replies)
Discussion started by: bd_joy
2 Replies

2. Shell Programming and Scripting

File existence

Hey all, I have total new with shell scripting so I don't know if what I need to do even possible, here it is...for a duration of time (say...1 hour) I need to check for the existence of a particular file, if it exists then I will invoke a java program or I will continue to check until a)... (2 Replies)
Discussion started by: mpang_
2 Replies

3. UNIX for Dummies Questions & Answers

Permission on files restricted to a process

Hello, I have this process app.fcgi and a directory containing images. I'd like to ensure that only app.cgi can access those images and more generally that folder.Thanks! (1 Reply)
Discussion started by: JCR
1 Replies

4. Shell Programming and Scripting

File existence using ls

Hi I want to check a particular file is available or not. But i know only the pattern of that file sat AB1234*.txt.I need the latest file name and it ll be used in the script. How can i do this using ls -ltr command. Thanks, LathishSundar V (2 Replies)
Discussion started by: lathish
2 Replies

5. Shell Programming and Scripting

check existence of the path

Hi How can I check if the path exist or not? echo "Enter path:"; read my_path; ##I should check whether my_path exists or not.... (5 Replies)
Discussion started by: tjay83
5 Replies

6. Shell Programming and Scripting

Help to Monitor the existence of a file

Hi Folks, Please tell me the unix shell script command to check for the existence of some .done file in a location on the UNIX server. (1 Reply)
Discussion started by: dinesh1985
1 Replies

7. Shell Programming and Scripting

bash about url existence

Hi, I want to make a bash script which is running like : 1.sh http://www. google.com and check if the url does exist printing a message. I want to save the source code of this page in a file. Could you help me ? (4 Replies)
Discussion started by: peter20
4 Replies

8. Shell Programming and Scripting

File existence

Hi I'm using the below command in shell script to check for file exists in the path if ..... fi path and test are variables path and the file exists but the commands inside if condition is executed (! operator used) Is the above way of checking for file existence is correct? ... (4 Replies)
Discussion started by: vinoth_kumar
4 Replies

9. Shell Programming and Scripting

File existence

Hope someone can help me on this In a directory ,files are dynamically generated.I need a script to do the following if files are not received for more than 2 hours or if the received file is empty then do something How can I put that in a script.Thank you eg. in cd /dir_name the... (13 Replies)
Discussion started by: haadiya
13 Replies

10. UNIX for Advanced & Expert Users

Permission to kill a process

I'm on AIX. I have triggered an infinite loop process (to keep looking for input file availability for further process). At present only I can kill the process. In case my colleague wants to kill the process for any reason, how do I provide permission to others to kill the process? Currently... (3 Replies)
Discussion started by: krishmaths
3 Replies

LEARN ABOUT MOJAVE

cgroup_namespaces

CGROUP_NAMESPACES(7)					     Linux Programmer's Manual					      CGROUP_NAMESPACES(7)

NAME

       cgroup_namespaces - overview of Linux cgroup namespaces

DESCRIPTION

       For an overview of namespaces, see namespaces(7).

       Cgroup namespaces virtualize the view of a process's cgroups (see cgroups(7)) as seen via /proc/[pid]/cgroup and /proc/[pid]/mountinfo.

       Each  cgroup  namespace	has its own set of cgroup root directories.  These root directories are the base points for the relative locations
       displayed in the corresponding records in the /proc/[pid]/cgroup file.  When a process creates a new cgroup  namespace  using  clone(2)	or
       unshare(2)  with the CLONE_NEWCGROUP flag, it enters a new cgroup namespace in which its current cgroups directories become the cgroup root
       directories of the new namespace.  (This applies both for the cgroups version 1 hierarchies and the cgroups version 2 unified hierarchy.)

       When viewing /proc/[pid]/cgroup, the pathname shown in the third field of each record will be relative to the reading process's root direc-
       tory  for the corresponding cgroup hierarchy.  If the cgroup directory of the target process lies outside the root directory of the reading
       process's cgroup namespace, then the pathname will show ../ entries for each ancestor level in the cgroup hierarchy.

       The following shell session demonstrates the effect of creating a new cgroup namespace.	First, (as superuser) we create a child cgroup	in
       the freezer hierarchy, and put the shell into that cgroup:

	   # mkdir -p /sys/fs/cgroup/freezer/sub
	   # echo $$			  # Show PID of this shell
	   30655
	   # sh -c 'echo 30655 > /sys/fs/cgroup/freezer/sub/cgroup.procs'
	   # cat /proc/self/cgroup | grep freezer
	   7:freezer:/sub

       Next, we use unshare(1) to create a process running a new shell in new cgroup and mount namespaces:

	   # unshare -Cm bash

       We  then  inspect the /proc/[pid]/cgroup files of, respectively, the new shell process started by the unshare(1) command, a process that is
       in the original cgroup namespace (init, with PID 1), and a process in a sibling cgroup (sub2):

	   $ cat /proc/self/cgroup | grep freezer
	   7:freezer:/
	   $ cat /proc/1/cgroup | grep freezer
	   7:freezer:/..
	   $ cat /proc/20124/cgroup | grep freezer
	   7:freezer:/../sub2

       From the output of the first command, we see that the freezer cgroup membership of the new shell (which is in the same cgroup as  the  ini-
       tial  shell) is shown defined relative to the freezer cgroup root directory that was established when the new cgroup namespace was created.
       (In absolute terms, the new shell is in the /sub freezer cgroup, and the root directory of the freezer cgroup hierarchy in the  new  cgroup
       namespace is also /sub.	Thus, the new shell's cgroup membership is displayed as '/'.)

       However, when we look in /proc/self/mountinfo we see the following anomaly:

	   # cat /proc/self/mountinfo | grep freezer
	   155 145 0:32 /.. /sys/fs/cgroup/freezer ...

       The  fourth  field of this line (/..)  should show the directory in the cgroup filesystem which forms the root of this mount.  Since by the
       definition of cgroup namespaces, the process's current freezer cgroup directory became its root freezer cgroup directory, we should see '/'
       in this field.  The problem here is that we are seeing a mount entry for the cgroup filesystem corresponding to our initial shell process's
       cgroup namespace (whose cgroup filesystem is indeed rooted in the parent directory of sub).  We need to remount the freezer cgroup filesys-
       tem inside this cgroup namespace, after which we see the expected results:

	   # mount --make-rslave /     # Don't propagate mount events
				       # to other namespaces
	   # umount /sys/fs/cgroup/freezer
	   # mount -t cgroup -o freezer freezer /sys/fs/cgroup/freezer
	   # cat /proc/self/mountinfo | grep freezer
	   155 145 0:32 / /sys/fs/cgroup/freezer rw,relatime ...

       Use of cgroup namespaces requires a kernel that is configured with the CONFIG_CGROUPS option.

CONFORMING TO

       Namespaces are a Linux-specific feature.

NOTES

       Among the purposes served by the virtualization provided by cgroup namespaces are the following:

       * It  prevents  information leaks whereby cgroup directory paths outside of a container would otherwise be visible to processes in the con-
	 tainer.  Such leakages could, for example, reveal information about the container framework to containerized applications.

       * It eases tasks such as container migration.  The virtualization provided by cgroup namespaces	allows	containers  to	be  isolated  from
	 knowledge  of	the  pathnames	of  ancestor cgroups.  Without such isolation, the full cgroup pathnames (displayed in /proc/self/cgroups)
	 would need to be replicated on the target system when migrating a container; those pathnames would also need to be unique, so	that  they
	 don't conflict with other pathnames on the target system.

       * It allows better confinement of containerized processes, because it is possible to mount the container's cgroup filesystems such that the
	 container processes can't gain access to ancestor cgroup directories.	Consider, for example, the following scenario:

	   o We have a cgroup directory, /cg/1, that is owned by user ID 9000.

	   o We have a process, X, also owned by user ID 9000, that is namespaced under the cgroup /cg/1/2 (i.e., X was placed	in  a  new  cgroup
	     namespace via clone(2) or unshare(2) with the CLONE_NEWCGROUP flag).

	 In  the absence of cgroup namespacing, because the cgroup directory /cg/1 is owned (and writable) by UID 9000 and process X is also owned
	 by user ID 9000, then process X would be able to modify the contents of cgroups files (i.e., change cgroup settings) not only in  /cg/1/2
	 but  also in the ancestor cgroup directory /cg/1.  Namespacing process X under the cgroup directory /cg/1/2, in combination with suitable
	 mount operations for the cgroup filesystem (as shown above), prevents it modifying files in /cg/1, since it cannot even see the  contents
	 of  that  directory  (or of further removed cgroup ancestor directories).  Combined with correct enforcement of hierarchical limits, this
	 prevents process X from escaping the limits imposed by ancestor cgroups.

SEE ALSO

       unshare(1), clone(2), setns(2), unshare(2), proc(5), cgroups(7), credentials(7), namespaces(7), user_namespaces(7)

COLOPHON

       This page is part of release 4.15 of the Linux man-pages project.  A description of the project, information about reporting bugs, and  the
       latest version of this page, can be found at https://www.kernel.org/doc/man-pages/.

Linux								    2017-09-15						      CGROUP_NAMESPACES(7)
All times are GMT -4. The time now is 05:17 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy