mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Add more detail on unmapped UIDs and GIDs exposed to user space
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
6eda94413b
commit
3e2a37ec85
|
@ -340,6 +340,66 @@ Writes that violate the above rules fail with the error
|
||||||
.\"
|
.\"
|
||||||
.\" ============================================================
|
.\" ============================================================
|
||||||
.\"
|
.\"
|
||||||
|
.SS Unmapped user and group IDs
|
||||||
|
.PP
|
||||||
|
There are various places where an unmapped user ID (group ID)
|
||||||
|
may be exposed to user space.
|
||||||
|
For example, the first process in a new user namespace may call
|
||||||
|
.BR getuid ()
|
||||||
|
before a user ID mapping has been defined for the namespace.
|
||||||
|
In most such cases, an unmapped user ID is converted
|
||||||
|
.\" from_kuid_munged(), from_kgid_munged()
|
||||||
|
to the overflow user ID (group ID);
|
||||||
|
the default value for the overflow user ID (group ID) is 65534.
|
||||||
|
See the descriptions of
|
||||||
|
.IR /proc/sys/kernel/overflowuid
|
||||||
|
and
|
||||||
|
.IR /proc/sys/kernel/overflowgid
|
||||||
|
in
|
||||||
|
.BR proc (5).
|
||||||
|
|
||||||
|
The cases where unmapped IDs are mapped in this fashion include
|
||||||
|
system calls that return user IDs
|
||||||
|
.RB ( getuid (2)
|
||||||
|
.BR getgid (2),
|
||||||
|
and similar),
|
||||||
|
credentials passed over a UNIX domain socket,
|
||||||
|
.\" also SO_PEERCRED
|
||||||
|
credentials returned by
|
||||||
|
.BR stat (2),
|
||||||
|
.BR waitid (2),
|
||||||
|
and the System V IPC "ctl"
|
||||||
|
.B IPC_STAT
|
||||||
|
operations,
|
||||||
|
credentials exposed by
|
||||||
|
.IR /proc/PID/status
|
||||||
|
and the files in
|
||||||
|
.IR /proc/sysvipc/* ,
|
||||||
|
credentials returned via the
|
||||||
|
.I si_uid
|
||||||
|
field in the
|
||||||
|
.I siginfo_t
|
||||||
|
received with a signal (see
|
||||||
|
.BR sigaction (2)),
|
||||||
|
credentials written to the process accounting file (see
|
||||||
|
.BR acct (5),
|
||||||
|
and credentials returned with POSIX message queue notifications (see
|
||||||
|
.BR mq_notify (3)).
|
||||||
|
|
||||||
|
There is one notable case where unmapped user and group IDs are
|
||||||
|
.I not
|
||||||
|
.\" from_kuid(), from_kgid()
|
||||||
|
.\" Also F_GETOWNER_UIDS is an exception
|
||||||
|
converted to the corresponding overflow ID value.
|
||||||
|
When viewing a
|
||||||
|
.I uid_map
|
||||||
|
or
|
||||||
|
.I gid_map
|
||||||
|
file in which there is no mapping for the second field,
|
||||||
|
that field is displayed as 4294967295 (\-1 as an unsigned integer);
|
||||||
|
.\"
|
||||||
|
.\" ============================================================
|
||||||
|
.\"
|
||||||
.SS Set-user-ID and set-group-ID programs
|
.SS Set-user-ID and set-group-ID programs
|
||||||
.PP
|
.PP
|
||||||
When a process inside a user namespace executes
|
When a process inside a user namespace executes
|
||||||
|
@ -387,7 +447,9 @@ a command inside those namespaces.
|
||||||
The comments and
|
The comments and
|
||||||
.I usage()
|
.I usage()
|
||||||
function inside the program provide a full explanation of the program.
|
function inside the program provide a full explanation of the program.
|
||||||
The following shell session demonstrates its use:
|
The following shell session demonstrates its use.
|
||||||
|
|
||||||
|
First, we look at the run-time environment:
|
||||||
|
|
||||||
.in +4n
|
.in +4n
|
||||||
.nf
|
.nf
|
||||||
|
@ -400,7 +462,7 @@ $ \fBid -g\fP
|
||||||
.fi
|
.fi
|
||||||
.in
|
.in
|
||||||
|
|
||||||
Now start a shell in new user
|
Now start a new shell in new user
|
||||||
.RI ( \-U ),
|
.RI ( \-U ),
|
||||||
mount
|
mount
|
||||||
.RI ( \-m ),
|
.RI ( \-m ),
|
||||||
|
|
Loading…
Reference in New Issue