From 1b3d5347f54b0bff20e4be970f1d72e15ce757a5 Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Fri, 1 Mar 2013 12:57:11 +0100 Subject: [PATCH] user_namespaces.7: Clarify that rules for writing to map files also apply to gid_map Signed-off-by: Michael Kerrisk --- man7/user_namespaces.7 | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index 656f989f8..e44013f03 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -278,13 +278,17 @@ file of of the process in the namespace may be written to .I once to define the mapping of user IDs in the new user namespace. -(An attempt to write more than once to a +An attempt to write more than once to a .I uid_map file in a user namespace fails with the error -.BR EPERM .) +.BR EPERM . +Similar rules apply for +.I gid_map +files. The lines written to .IR uid_map +.RI ( gid_map ) must conform to the following rules: .IP * 3 The three fields must be valid numbers, @@ -305,7 +309,8 @@ and .BR pwrite (2) can't be used to write to nonzero offsets in the file). .IP * -The range of user IDs specified in each line cannot overlap with the ranges +The range of user IDs (group IDs) +specified in each line cannot overlap with the ranges in any other lines. In the current implementation (Linux 3.8), this requirement is satisfied by a simplistic implementation that imposes the further @@ -313,6 +318,9 @@ requirement that the values in both field 1 and field 2 of successive lines must be in ascending numerical order. .IP * +The mapped user IDs (group IDs) must in turn have a mapping +in the parent user namespace. +.IP * At least one line must be written to the file. .PP Writes that violate the above rules fail with the error