Red Hat Bugzilla – Bug 78299
pthread functions do not honor capabilities
Last modified: 2016-11-24 09:59:43 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 Galeon/1.2.6 (X11; Linux i686; U;) Gecko/20020830 Description of problem: pthread_create() and pthread_setschedparam() do not honor capabilities to validate if the current user may raise the priority of the specified thread, returning EAGAIN. They only appear to work if the uid is root. The following snippet comes from the library's manager.c file: /* First check whether we have to change the policy and if yes, whether we can do this. Normally this should be done by examining the return value of the __sched_setscheduler call in pthread_start_thread but this is hard to implement. FIXME */ if (attr != NULL && attr->__schedpolicy != SCHED_OTHER && geteuid () != 0) return EPERM; This code should succeed if the user has CAP_SYS_NICE capability, but obviously it never gets that far. Note that we are using the pam_capability module, however there are other ways to assign permissions so this problem is not specific to that. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Assign a non-root user the CAP_SYS_NICE capability (using either the pam_capability.so module or via the cap_set_proc call). 2. Compile and run the following program and see that it does not succeed due to the explicit check for uid == 0: /* * Test pthread_create() with SCHED_FIFO. */ #include <pthread.h> #include <unistd.h> #include <stdio.h> #include <errno.h> void* thread_body(void* ptr) { printf("Thread %d here!\n", getpid()); return NULL; } pthread_attr_t attr; pthread_t thread_ptr; struct sched_param param; main() { int ret; param.sched_priority = 50; pthread_attr_init(&attr); pthread_attr_setschedpolicy(&attr, SCHED_FIFO); pthread_attr_setschedparam(&attr, ¶m); printf("main: before creating thread\n"); ret = pthread_create(&thread_ptr, &attr, thread_body, NULL); if (ret) { perror("test"); fprintf(stderr, "error: pthread_create returned %d\n", ret); exit(1); } printf("main: after creating thread\n"); } Actual Results: $ cat /proc/self/status | tail -3 CapInh: 00000000fffffeff CapPrm: 00000000fffffeff CapEff: 00000000fffffeff $ ./a.out main: before creating thread test: Interrupted system call error: pthread_create returned 1 $ Expected Results: $ cat /proc/self/status | tail -3 CapInh: 00000000fffffeff CapPrm: 00000000fffffeff CapEff: 00000000fffffeff $ ./a.out main: before creating thread Thread 9401 here! main: after creating thread $ Additional info:
The code as it is works just fine for RHL since we don't support capabilities. So this is no problem here, or at least it would be an enhancement request. Having said that it should be made known that LinuxThreads has reached the end of the line. No more features will ever be added. Going forward only nptl is supported nptl current for various reasons does not provide support for priorities etc. If and when it gets added we will take capabilities into account. Therefore I'm closing the bug now with WONTFIX here.