Cgroup world-writable files

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux(RHEL) 6/7/8.
  • Cgroup V1.

Issue

  • The following cgroup files are being created with world-writable bit.
--w--w--w-. 1 root root 0 May 14 15:04 /cgroup/freezer/cgroup.event_control
--w--w--w-. 1 root root 0 May 14 15:04 /cgroup/memory/cgroup.event_control
--w--w--w-. 1 root root 0 May 14 15:04 /cgroup/cpuacct/cgroup.event_control
--w--w--w-. 1 root root 0 May 14 15:04 /cgroup/cpu/cgroup.event_control
--w--w--w-. 1 root root 0 May 14 15:04 /cgroup/cpuset/test/cgroup.event_control
--w--w--w-. 1 root root 0 May 14 15:04 /cgroup/cpuset/cgroup.event_control
--w--w--w-. 1 root root 0 May 14 15:04 /cgroup/net_cls/cgroup.event_control
--w--w--w-. 1 root root 0 May 14 15:04 /cgroup/blkio/cgroup.event_control
--w--w--w-. 1 root root 0 May 14 15:04 /cgroup/devices/cgroup.event_control
  • Is it going to cause harm to the system to remove the world-writable bit?
  • If no harm will come of changing the bit, how can one make this reboot persistent? These files seem to be recreated at startup.
  • On my RHEL 7 system, I see following cgroup files world writable:
--w--w--w-   1 root     root            0 Oct 12 17:21 /sys/fs/cgroup/systemd/system.slice/dev-mqueue.mount/cgroup.event_control
 --w--w--w-   1 root     root            0 Oct 12 17:21 /sys/fs/cgroup/systemd/system.slice/system-getty.slice/cgroup.event_control
 --w--w--w-   1 root     root            0 Oct 12 10:21 /sys/fs/cgroup/systemd/system.slice/cgroup.event_control
 --w--w--w-   1 root     root            0 Oct 12 10:21 /sys/fs/cgroup/systemd/cgroup.event_control

Resolution

  • Changing the world writable bit is not recommended on these files as it would break notification features of the cgroup API.

  • Changing the permissions would have no effect. Cgroups has it's own pseudo-file-system and manages all the files therein.

  • Each time the cgconfig init script is run, the world writable bit will be set on these files.

Root Cause

  • The cgroup.event_control files are world writable. This is because they are used in conjunction with the cgroups notification API to allow notifications to be sent about a changing status in the control group.

  • Looking at some common operations to attempt to read the configuration:

# cat cgroup.event_control 
cat: cgroup.event_control: Invalid argument

# echo "xyz" > cgroup.event_control
-bash: echo: write error: Invalid argument
  • Attempting to remove the world writable permissions succeeds, however they are reinstated the next time the cgconfig init script runs, as the cgroup file system is a pseudo-file system.
# ls -lah cgroup.event_control 
--w--w--w-. 1 root root 0 May 20 10:38 cgroup.event_control
# chmod a-w ./cgroup.event_control 
# ls -alh cgroup.event_control 
----------. 1 root root 0 May 20 10:38 cgroup.event_control
# cd /
# service cgconfig restart
Stopping cgconfig service:                                 [  OK  ]
Starting cgconfig service:                                 [  OK  ]
# cd -
/cgroup/devices
[root@z devices]# ls -lah cgroup.event_control 
--w--w--w-. 1 root root 0 May 20 10:47 cgroup.event_control

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments