mirror of https://github.com/mkerrisk/man-pages
chroot.2, clone.2, epoll_wait.2, execve.2, getgroups.2: ffix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
0ffeaeae10
commit
47f743f12e
|
@ -104,10 +104,12 @@ so that after the call \(aq\fI.\fP\(aq can
|
||||||
be outside the tree rooted at \(aq\fI/\fP\(aq.
|
be outside the tree rooted at \(aq\fI/\fP\(aq.
|
||||||
In particular, the superuser can escape from a "chroot jail"
|
In particular, the superuser can escape from a "chroot jail"
|
||||||
by doing:
|
by doing:
|
||||||
.nf
|
.PP
|
||||||
|
.in +4n
|
||||||
mkdir foo; chroot foo; cd ..
|
.EX
|
||||||
.fi
|
mkdir foo; chroot foo; cd ..
|
||||||
|
.EE
|
||||||
|
.in
|
||||||
.PP
|
.PP
|
||||||
This call does not close open file descriptors, and such file
|
This call does not close open file descriptors, and such file
|
||||||
descriptors may allow access to files outside the chroot tree.
|
descriptors may allow access to files outside the chroot tree.
|
||||||
|
|
12
man2/clone.2
12
man2/clone.2
|
@ -1214,13 +1214,15 @@ argument includes
|
||||||
.BR CLONE_VM .)
|
.BR CLONE_VM .)
|
||||||
To get the truth, it was sometimes necessary to use code such as the following:
|
To get the truth, it was sometimes necessary to use code such as the following:
|
||||||
.PP
|
.PP
|
||||||
.nf
|
.in +4n
|
||||||
#include <syscall.h>
|
.EX
|
||||||
|
#include <syscall.h>
|
||||||
|
|
||||||
pid_t mypid;
|
pid_t mypid;
|
||||||
|
|
||||||
mypid = syscall(SYS_getpid);
|
mypid = syscall(SYS_getpid);
|
||||||
.fi
|
.EE
|
||||||
|
.in
|
||||||
.\" See also the following bug reports
|
.\" See also the following bug reports
|
||||||
.\" https://bugzilla.redhat.com/show_bug.cgi?id=417521
|
.\" https://bugzilla.redhat.com/show_bug.cgi?id=417521
|
||||||
.\" http://sourceware.org/bugzilla/show_bug.cgi?id=6910
|
.\" http://sourceware.org/bugzilla/show_bug.cgi?id=6910
|
||||||
|
|
|
@ -129,22 +129,26 @@ becomes ready or until a signal is caught.
|
||||||
The following
|
The following
|
||||||
.BR epoll_pwait ()
|
.BR epoll_pwait ()
|
||||||
call:
|
call:
|
||||||
.nf
|
.PP
|
||||||
|
.in +4n
|
||||||
ready = epoll_pwait(epfd, &events, maxevents, timeout, &sigmask);
|
.EX
|
||||||
|
ready = epoll_pwait(epfd, &events, maxevents, timeout, &sigmask);
|
||||||
.fi
|
.EE
|
||||||
|
.in
|
||||||
|
.PP
|
||||||
is equivalent to
|
is equivalent to
|
||||||
.I atomically
|
.I atomically
|
||||||
executing the following calls:
|
executing the following calls:
|
||||||
.nf
|
.PP
|
||||||
|
.in +4n
|
||||||
|
.EX
|
||||||
|
sigset_t origmask;
|
||||||
|
|
||||||
sigset_t origmask;
|
pthread_sigmask(SIG_SETMASK, &sigmask, &origmask);
|
||||||
|
ready = epoll_wait(epfd, &events, maxevents, timeout);
|
||||||
pthread_sigmask(SIG_SETMASK, &sigmask, &origmask);
|
pthread_sigmask(SIG_SETMASK, &origmask, NULL);
|
||||||
ready = epoll_wait(epfd, &events, maxevents, timeout);
|
.EE
|
||||||
pthread_sigmask(SIG_SETMASK, &origmask, NULL);
|
.in
|
||||||
.fi
|
|
||||||
.PP
|
.PP
|
||||||
The
|
The
|
||||||
.I sigmask
|
.I sigmask
|
||||||
|
|
|
@ -721,7 +721,7 @@ The following program is designed to be execed by the second program below.
|
||||||
It just echoes its command-line arguments, one per line.
|
It just echoes its command-line arguments, one per line.
|
||||||
.PP
|
.PP
|
||||||
.in +4n
|
.in +4n
|
||||||
.nf
|
.EX
|
||||||
/* myecho.c */
|
/* myecho.c */
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
@ -737,14 +737,14 @@ main(int argc, char *argv[])
|
||||||
|
|
||||||
exit(EXIT_SUCCESS);
|
exit(EXIT_SUCCESS);
|
||||||
}
|
}
|
||||||
.fi
|
.EE
|
||||||
.in
|
.in
|
||||||
.PP
|
.PP
|
||||||
This program can be used to exec the program named in its command-line
|
This program can be used to exec the program named in its command-line
|
||||||
argument:
|
argument:
|
||||||
|
.PP
|
||||||
.in +4n
|
.in +4n
|
||||||
.nf
|
.EX
|
||||||
|
|
||||||
/* execve.c */
|
/* execve.c */
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
@ -768,20 +768,20 @@ main(int argc, char *argv[])
|
||||||
perror("execve"); /* execve() returns only on error */
|
perror("execve"); /* execve() returns only on error */
|
||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
.fi
|
.EE
|
||||||
.in
|
.in
|
||||||
.PP
|
.PP
|
||||||
We can use the second program to exec the first as follows:
|
We can use the second program to exec the first as follows:
|
||||||
.PP
|
.PP
|
||||||
.in +4n
|
.in +4n
|
||||||
.nf
|
.EX
|
||||||
.RB "$" " cc myecho.c \-o myecho"
|
.RB "$" " cc myecho.c \-o myecho"
|
||||||
.RB "$" " cc execve.c \-o execve"
|
.RB "$" " cc execve.c \-o execve"
|
||||||
.RB "$" " ./execve ./myecho"
|
.RB "$" " ./execve ./myecho"
|
||||||
argv[0]: ./myecho
|
argv[0]: ./myecho
|
||||||
argv[1]: hello
|
argv[1]: hello
|
||||||
argv[2]: world
|
argv[2]: world
|
||||||
.fi
|
.EE
|
||||||
.in
|
.in
|
||||||
.PP
|
.PP
|
||||||
We can also use these programs to demonstrate the use of a script
|
We can also use these programs to demonstrate the use of a script
|
||||||
|
@ -791,25 +791,25 @@ To do this we create a script whose "interpreter" is our
|
||||||
program:
|
program:
|
||||||
.PP
|
.PP
|
||||||
.in +4n
|
.in +4n
|
||||||
.nf
|
.EX
|
||||||
.RB "$" " cat > script"
|
.RB "$" " cat > script"
|
||||||
.B #!./myecho script-arg
|
.B #!./myecho script-arg
|
||||||
.B ^D
|
.B ^D
|
||||||
.RB "$" " chmod +x script"
|
.RB "$" " chmod +x script"
|
||||||
.fi
|
.EE
|
||||||
.in
|
.in
|
||||||
.PP
|
.PP
|
||||||
We can then use our program to exec the script:
|
We can then use our program to exec the script:
|
||||||
.PP
|
.PP
|
||||||
.in +4n
|
.in +4n
|
||||||
.nf
|
.EX
|
||||||
.RB "$" " ./execve ./script"
|
.RB "$" " ./execve ./script"
|
||||||
argv[0]: ./myecho
|
argv[0]: ./myecho
|
||||||
argv[1]: script-arg
|
argv[1]: script-arg
|
||||||
argv[2]: ./script
|
argv[2]: ./script
|
||||||
argv[3]: hello
|
argv[3]: hello
|
||||||
argv[4]: world
|
argv[4]: world
|
||||||
.fi
|
.EE
|
||||||
.in
|
.in
|
||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
.BR chmod (2),
|
.BR chmod (2),
|
||||||
|
|
|
@ -169,12 +169,14 @@ is inherited from the parent process, and preserved across an
|
||||||
.PP
|
.PP
|
||||||
The maximum number of supplementary group IDs can be found at run time using
|
The maximum number of supplementary group IDs can be found at run time using
|
||||||
.BR sysconf (3):
|
.BR sysconf (3):
|
||||||
.nf
|
.PP
|
||||||
|
.in +4n
|
||||||
long ngroups_max;
|
.EX
|
||||||
ngroups_max = sysconf(_SC_NGROUPS_MAX);
|
long ngroups_max;
|
||||||
|
ngroups_max = sysconf(_SC_NGROUPS_MAX);
|
||||||
.fi
|
..EE
|
||||||
|
.in
|
||||||
|
.EE
|
||||||
The maximum return value of
|
The maximum return value of
|
||||||
.BR getgroups ()
|
.BR getgroups ()
|
||||||
cannot be larger than one more than this value.
|
cannot be larger than one more than this value.
|
||||||
|
|
Loading…
Reference in New Issue