2

By default, only root can create CPU sets (and manipulate tasks in existing ones):

$ cset shield -c0 cset: **> [Errno 13] Permission denied: '/cpusets//user' cset: insufficient permissions, you probably need to be root

If I granted user trusted the right to run sudo cset, the commands he/she will run, e.g.

sudo cset shield -e command

would be owned by root, unless we do

sudo cset shield -e sudo -- -u trusted command

which is quite complex, especially regarding what environment is inherited by command through these layers...

Is there a way to grant trusted rights to manipulate CPU sets without changing identity?

Improve this question

1 Answer 1

Reset to default
2
+100

According to the cpuset man page:

The permissions of a cpuset are determined by the permissions of the directories and pseudo-files in the cpuset filesystem, normally mounted at /dev/cpuset.

Using a small, sudo-callable script, that creates a cpuset and adapts the ownership/permissions of the corresponding folder and files in it, a user would be allowed to create is own cpuset.

Then the user can use and modify this cpuset directly without root permissions and create child cpusets for it.

See also https://serverfault.com/questions/478946/how-can-i-create-and-use-linux-cgroups-as-a-non-root-user .

Improve this answer
2
  • Thank you for the answer and for the pointer (I learned that creating a cpuset is as simple as mkdir). The cpuset pseudo-fs does not support ACLs, so here's what I did: (i) create a trusted-users group (ii) mount -t cpuset none /cpusets (this is the default mountpoint for the cset utility) (iii) chown -R :trusted-users /cpusets (iv) find /cpusets -perm -u=w -exec chmod g+w '{}' \+ Commented Feb 11, 2019 at 9:55
  • The files are actually at /sys/fs/cgroup/cpuset (as referenced in the link) but it might depend on the distro. Commented May 3, 2022 at 6:56

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.