mirror of https://github.com/mkerrisk/man-pages
namespaces.7: Note exception to permissions needed when writing to uid_map/gid_lmap
Quoting mail with Eric Biederman: >>> So, by the way, I added this sentence to the page: >>> >>> In order to write to the /proc/[pid]/uid_map >>> (/proc/[pid]/gid_map) file, a process must have the >>> CAP_SETUID (CAP_SETGID) capability in the user namespace >>> of the process pid. >>> >>> Is that correct? >> >> Yes. >> >>> But, there appear to be more rules than this governing whether a >>> process can write to the file (i.e., various other -EPERM cases). What >>> are the rules? >> >> In general you must also have CAP_SETUID (CAP_SETGID) in the parent user >> namespace as well. The one exception to that is if you are mapping >> your current uid and gid. > > Can you clarify what you mean by "mapping your own UID and GID" please > (i.e., who is "you" in that sentence). At the time of clone() or unshare() that creates a new user namespace, the kuid and the kgid of the process does not change. setuid and setgid fail before any mappings are set up. Therefore the caller is allowed to map any single uid to the uid of the caller in the parent user namespace. Likewise the caller is allowed to map any single gid to the gid of the caller in the parent user Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
2a4cbd77a1
commit
37d12157fd
|
@ -608,6 +608,13 @@ The process must have the
|
|||
.BR CAP_SETUID
|
||||
.RB ( CAP_SETGID )
|
||||
capability in the parent user namespace.
|
||||
There is an exception to this requirement:
|
||||
a process writing to
|
||||
.I uid_map
|
||||
.RI ( gid_map )
|
||||
is allowed to map any single UID (GID) to the file system UID (GID) of the
|
||||
caller in the parent user namespace.
|
||||
|
||||
.IP *
|
||||
The process must be in either the user namespace of the process
|
||||
.I pid
|
||||
|
|
Loading…
Reference in New Issue