mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Reorganize and add some subheadings
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
67d1131fd9
commit
62a5214c57
|
@ -45,7 +45,7 @@ but is unprivileged for operations outside the namespace.
|
||||||
User namespaces can be nested;
|
User namespaces can be nested;
|
||||||
that is, each user namespace has a parent user namespace,
|
that is, each user namespace has a parent user namespace,
|
||||||
and can have zero or more child user namespaces.
|
and can have zero or more child user namespaces.
|
||||||
The parent of a user namespace is the user namespace
|
The parent user namespace is the user namespace
|
||||||
of the process that creates the user namespace via a call to
|
of the process that creates the user namespace via a call to
|
||||||
.BR unshare (2)
|
.BR unshare (2)
|
||||||
or
|
or
|
||||||
|
@ -54,6 +54,9 @@ with the
|
||||||
.BR CLONE_NEWUSER
|
.BR CLONE_NEWUSER
|
||||||
flag.
|
flag.
|
||||||
|
|
||||||
|
The first process in a user namespace starts out with a complete set
|
||||||
|
of capabilities with respect to the new user namespace.
|
||||||
|
|
||||||
When a user namespace is created,
|
When a user namespace is created,
|
||||||
it starts out without a mapping of user IDs (group IDs)
|
it starts out without a mapping of user IDs (group IDs)
|
||||||
to the parent user namespace.
|
to the parent user namespace.
|
||||||
|
@ -62,9 +65,16 @@ may be set by writing into
|
||||||
.IR /proc/[pid]/uid_map
|
.IR /proc/[pid]/uid_map
|
||||||
.RI ( /proc/[pid]/gid_map );
|
.RI ( /proc/[pid]/gid_map );
|
||||||
see below.
|
see below.
|
||||||
|
.PP
|
||||||
The first process in a user namespace starts out with a complete set
|
In order to create a new user namespace,
|
||||||
of capabilities with respect to the new user namespace.
|
there must exist a mapping of the caller's effective
|
||||||
|
user and group IDs into the parent namespace.
|
||||||
|
If such a mapping does not exist, then
|
||||||
|
.BR clone (2)
|
||||||
|
and
|
||||||
|
.BR unshare (2)
|
||||||
|
fail with the error
|
||||||
|
.BR EPERM .
|
||||||
|
|
||||||
System calls that return user IDs (group IDs) will return
|
System calls that return user IDs (group IDs) will return
|
||||||
either the user ID (group ID) mapped into the current
|
either the user ID (group ID) mapped into the current
|
||||||
|
@ -76,7 +86,11 @@ and
|
||||||
.IR /proc/sys/kernel/overflowgid
|
.IR /proc/sys/kernel/overflowgid
|
||||||
in
|
in
|
||||||
.BR proc (5).
|
.BR proc (5).
|
||||||
|
.PP
|
||||||
|
Use of user namespaces requires a kernel that is configured with the
|
||||||
|
.B CONFIG_USER_NS
|
||||||
|
option.
|
||||||
|
.SS Interaction of user namespaces and other types of namespaces
|
||||||
Starting in Linux 3.8, unprivileged processes can create user namespaces,
|
Starting in Linux 3.8, unprivileged processes can create user namespaces,
|
||||||
and mount, PID, IPC, network, and UTS namespaces can be created with just the
|
and mount, PID, IPC, network, and UTS namespaces can be created with just the
|
||||||
.B CAP_SYS_ADMIN
|
.B CAP_SYS_ADMIN
|
||||||
|
@ -107,8 +121,7 @@ privileged operations that operate on global
|
||||||
resources isolated by the namespace,
|
resources isolated by the namespace,
|
||||||
the permission checks are performed according to the process's capabilities
|
the permission checks are performed according to the process's capabilities
|
||||||
in the user namespace that the kernel associated with the new namespace.
|
in the user namespace that the kernel associated with the new namespace.
|
||||||
|
.SS Capabilities
|
||||||
|
|
||||||
The following rules apply with respect to the capabilities granted
|
The following rules apply with respect to the capabilities granted
|
||||||
to a process:
|
to a process:
|
||||||
.\" In the 3.8 sources, see security/commoncap.c::cap_capable():
|
.\" In the 3.8 sources, see security/commoncap.c::cap_capable():
|
||||||
|
@ -130,18 +143,7 @@ has all capabilities in the user namespace.
|
||||||
.\" As a rough approximation, this means that
|
.\" As a rough approximation, this means that
|
||||||
.\" the user who creates a user namespace
|
.\" the user who creates a user namespace
|
||||||
.\" has all capabilities inside that namespace and its descendants.
|
.\" has all capabilities inside that namespace and its descendants.
|
||||||
.PP
|
.SS User and group ID mappings: uid_map and gid_map
|
||||||
Use of user namespaces requires a kernel that is configured with the
|
|
||||||
.B CONFIG_USER_NS
|
|
||||||
option.
|
|
||||||
|
|
||||||
Over the years, there have been a lot of features that have been added
|
|
||||||
to the Linux kernel that are only available to privileged users
|
|
||||||
because of their potential to confuse set-user-ID-root applications.
|
|
||||||
In general, it becomes safe to allow the root user in a user namespace to
|
|
||||||
use those features because it is impossible, while in a user namespace,
|
|
||||||
to gain more privilege than the root user of a user namespace has.
|
|
||||||
|
|
||||||
The
|
The
|
||||||
.IR /proc/[pid]/uid_map
|
.IR /proc/[pid]/uid_map
|
||||||
and
|
and
|
||||||
|
@ -151,7 +153,10 @@ files (available since Linux 3.5)
|
||||||
expose the mappings for user and group IDs
|
expose the mappings for user and group IDs
|
||||||
inside the user namespace for the process
|
inside the user namespace for the process
|
||||||
.IR pid .
|
.IR pid .
|
||||||
The description here explains the details for
|
These files can be read to view the mappings in a user namespace and
|
||||||
|
written to (once) to define the mappings.
|
||||||
|
|
||||||
|
The description in the following paragraphs explains the details for
|
||||||
.IR uid_map ;
|
.IR uid_map ;
|
||||||
.IR gid_map
|
.IR gid_map
|
||||||
is exactly the same,
|
is exactly the same,
|
||||||
|
@ -215,6 +220,7 @@ that created this user namespace.
|
||||||
.IP (3)
|
.IP (3)
|
||||||
The length of the range of user IDs that is mapped between the two
|
The length of the range of user IDs that is mapped between the two
|
||||||
user namespaces.
|
user namespaces.
|
||||||
|
.SS Defining user and group ID mappings: writing to uid_map and gid_map
|
||||||
.PP
|
.PP
|
||||||
After the creation of a new user namespace, the
|
After the creation of a new user namespace, the
|
||||||
.I uid_map
|
.I uid_map
|
||||||
|
@ -313,16 +319,7 @@ in the parent user namespace.
|
||||||
.PP
|
.PP
|
||||||
Writes that violate the above rules fail with the error
|
Writes that violate the above rules fail with the error
|
||||||
.BR EPERM .
|
.BR EPERM .
|
||||||
.PP
|
.SS Set-user-ID and set-group-ID programs
|
||||||
In order to create a new user namespace,
|
|
||||||
there must exist a mapping of the caller's effective
|
|
||||||
user and group IDs into the parent namespace.
|
|
||||||
If such a mapping does not exist, then
|
|
||||||
.BR clone (2)
|
|
||||||
and
|
|
||||||
.BR unshare (2)
|
|
||||||
fail with the error
|
|
||||||
.BR EPERM .
|
|
||||||
.PP
|
.PP
|
||||||
When a process inside a user namespace executes
|
When a process inside a user namespace executes
|
||||||
a set-user-ID (set-group-ID) program,
|
a set-user-ID (set-group-ID) program,
|
||||||
|
@ -341,6 +338,13 @@ flag (see
|
||||||
.BR mount (2).)
|
.BR mount (2).)
|
||||||
.SH CONFORMING TO
|
.SH CONFORMING TO
|
||||||
Namespaces are a Linux-specific feature.
|
Namespaces are a Linux-specific feature.
|
||||||
|
.SH NOTES
|
||||||
|
Over the years, there have been a lot of features that have been added
|
||||||
|
to the Linux kernel that are only available to privileged users
|
||||||
|
because of their potential to confuse set-user-ID-root applications.
|
||||||
|
In general, it becomes safe to allow the root user in a user namespace to
|
||||||
|
use those features because it is impossible, while in a user namespace,
|
||||||
|
to gain more privilege than the root user of a user namespace has.
|
||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
.BR unshare (1),
|
.BR unshare (1),
|
||||||
.BR clone (2),
|
.BR clone (2),
|
||||||
|
|
Loading…
Reference in New Issue