mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Note treatment of "securebits" flags
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
37909beed2
commit
0666f549da
|
@ -105,7 +105,8 @@ Likewise, a process that creates a new user namespace using
|
|||
.BR unshare (2)
|
||||
or joins an existing user namespace using
|
||||
.BR setns (2)
|
||||
gains a full set of capabilities in that namespace.
|
||||
gains a full set of capabilities in that namespace,
|
||||
and its securebits flags are cleared.
|
||||
On the other hand,
|
||||
that process has no capabilities outside that user namespace,
|
||||
even if the new namespace is created or joined by the root user
|
||||
|
@ -116,6 +117,32 @@ files that are owned by user ID 0,
|
|||
and will be able to do things such as sending signals
|
||||
to processes belonging to user ID 0.)
|
||||
|
||||
A call to
|
||||
.BR clone (2),
|
||||
.BR unshare (2),
|
||||
or
|
||||
.BR setns (2)
|
||||
using the
|
||||
.BR CLONE_NEWUSER
|
||||
flag sets the "securebits" flags
|
||||
(see
|
||||
.BR capabilities (7))
|
||||
to their default values (all flags disabled) in the child (for
|
||||
.BR clone (2))
|
||||
or caller (for
|
||||
.BR unshare (2),
|
||||
or
|
||||
.BR setns (2)).
|
||||
Note that
|
||||
because the caller no longer has capabilities in its original user namespace
|
||||
after a call to
|
||||
.BR setns (2),
|
||||
it is not possible for a process to reset its "securebits" flags while
|
||||
retaining its user namespace membership by using a pair of
|
||||
.BR setns (2)
|
||||
calls to move to another user namespace and then return to
|
||||
its original user namespace.
|
||||
|
||||
Having a capability inside a user namespace
|
||||
permits a process to perform operations (that require privilege)
|
||||
only on resources governed by that namespace.
|
||||
|
|
Loading…
Reference in New Issue