mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Note treatment of "securebits" flags
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
37909beed2
commit
0666f549da
|
@ -105,7 +105,8 @@ Likewise, a process that creates a new user namespace using
|
||||||
.BR unshare (2)
|
.BR unshare (2)
|
||||||
or joins an existing user namespace using
|
or joins an existing user namespace using
|
||||||
.BR setns (2)
|
.BR setns (2)
|
||||||
gains a full set of capabilities in that namespace.
|
gains a full set of capabilities in that namespace,
|
||||||
|
and its securebits flags are cleared.
|
||||||
On the other hand,
|
On the other hand,
|
||||||
that process has no capabilities outside that user namespace,
|
that process has no capabilities outside that user namespace,
|
||||||
even if the new namespace is created or joined by the root user
|
even if the new namespace is created or joined by the root user
|
||||||
|
@ -116,6 +117,32 @@ files that are owned by user ID 0,
|
||||||
and will be able to do things such as sending signals
|
and will be able to do things such as sending signals
|
||||||
to processes belonging to user ID 0.)
|
to processes belonging to user ID 0.)
|
||||||
|
|
||||||
|
A call to
|
||||||
|
.BR clone (2),
|
||||||
|
.BR unshare (2),
|
||||||
|
or
|
||||||
|
.BR setns (2)
|
||||||
|
using the
|
||||||
|
.BR CLONE_NEWUSER
|
||||||
|
flag sets the "securebits" flags
|
||||||
|
(see
|
||||||
|
.BR capabilities (7))
|
||||||
|
to their default values (all flags disabled) in the child (for
|
||||||
|
.BR clone (2))
|
||||||
|
or caller (for
|
||||||
|
.BR unshare (2),
|
||||||
|
or
|
||||||
|
.BR setns (2)).
|
||||||
|
Note that
|
||||||
|
because the caller no longer has capabilities in its original user namespace
|
||||||
|
after a call to
|
||||||
|
.BR setns (2),
|
||||||
|
it is not possible for a process to reset its "securebits" flags while
|
||||||
|
retaining its user namespace membership by using a pair of
|
||||||
|
.BR setns (2)
|
||||||
|
calls to move to another user namespace and then return to
|
||||||
|
its original user namespace.
|
||||||
|
|
||||||
Having a capability inside a user namespace
|
Having a capability inside a user namespace
|
||||||
permits a process to perform operations (that require privilege)
|
permits a process to perform operations (that require privilege)
|
||||||
only on resources governed by that namespace.
|
only on resources governed by that namespace.
|
||||||
|
|
Loading…
Reference in New Issue