I have to run mesos-agent as root(or some user with root privilege) to isolate tasks' execution environment. For security, we
- chmod +s to mesos-agent and then run it as some user A(We'll ssh as user A to do some ops, but NOT every has root privilege.).
- use --switch_user to restrict tasks' capabilities(e.g. "rm -rf /" is not allowed).
The problem is that if we set CommandInfo.User to A(the same one running mesos-agent), the check in MesosContainerizerLaunch::execute()
will always be false. As a result, all subprocesses will run as root.
So I suggest that we use geteuid here to replace getuid, namely