From 0666f549dacdf330fe67a4a642b472781e739d98 Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Fri, 8 Mar 2013 14:56:33 +0100 Subject: [PATCH] user_namespaces.7: Note treatment of "securebits" flags Signed-off-by: Michael Kerrisk --- man7/user_namespaces.7 | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index 3d9e35fc5..d0414c0dd 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -105,7 +105,8 @@ Likewise, a process that creates a new user namespace using .BR unshare (2) or joins an existing user namespace using .BR setns (2) -gains a full set of capabilities in that namespace. +gains a full set of capabilities in that namespace, +and its securebits flags are cleared. On the other hand, that process has no capabilities outside that user namespace, even if the new namespace is created or joined by the root user @@ -116,6 +117,32 @@ files that are owned by user ID 0, and will be able to do things such as sending signals to processes belonging to user ID 0.) +A call to +.BR clone (2), +.BR unshare (2), +or +.BR setns (2) +using the +.BR CLONE_NEWUSER +flag sets the "securebits" flags +(see +.BR capabilities (7)) +to their default values (all flags disabled) in the child (for +.BR clone (2)) +or caller (for +.BR unshare (2), +or +.BR setns (2)). +Note that +because the caller no longer has capabilities in its original user namespace +after a call to +.BR setns (2), +it is not possible for a process to reset its "securebits" flags while +retaining its user namespace membership by using a pair of +.BR setns (2) +calls to move to another user namespace and then return to +its original user namespace. + Having a capability inside a user namespace permits a process to perform operations (that require privilege) only on resources governed by that namespace.