mirror of https://github.com/mkerrisk/man-pages
proc.5: Tweak's to Eric Biederman's patch
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
de04dd4df3
commit
6bb49a3266
24
man5/proc.5
24
man5/proc.5
|
@ -1216,26 +1216,32 @@ are not available if the main thread has already terminated
|
|||
.\"
|
||||
This file displays the string
|
||||
.RI \(dq allow \(dq
|
||||
if the
|
||||
if processes in the user namespace that contains the process
|
||||
.I pid
|
||||
are permitted to employ the
|
||||
.BR setgroups (2)
|
||||
system call is permitted in the process's user namespace, and
|
||||
system call, and
|
||||
.RI \(dq deny \(dq
|
||||
if
|
||||
.BR setgroups (2)
|
||||
is not permitted.
|
||||
is not permitted in that user namespace.
|
||||
|
||||
A privileged process (one with the
|
||||
.BR CAP_SYS_ADMIN
|
||||
capability in the namespace)
|
||||
.\" Should it be "parent namespace" in the line above?
|
||||
may write either of the strings
|
||||
capability in the namespace) may write either of the strings
|
||||
.RI \(dq allow \(dq
|
||||
or
|
||||
.RI \(dq deny \(dq
|
||||
to this file before writing a group ID mapping
|
||||
for this user namespace to the file
|
||||
.IR /proc/[pid]/gid_map .
|
||||
The default value of this file in the initial user namesapce is
|
||||
.RI " allow ".
|
||||
Writing the string
|
||||
.RI \(dq deny \(dq
|
||||
prevents any process in the user namespace from employing
|
||||
.BR setgroups (2).
|
||||
|
||||
The default value of this file in the initial user namespace is
|
||||
.RI \(dq allow \(dq.
|
||||
|
||||
Once
|
||||
.IR /proc/[pid]/gid_map
|
||||
|
@ -1255,7 +1261,7 @@ setting from its parent.
|
|||
If the
|
||||
.I setgroups
|
||||
file has the value
|
||||
.IR \(dq deny \(dq,
|
||||
.RI \(dq deny \(dq,
|
||||
then the
|
||||
.BR setgroups (2)
|
||||
system call can't subsequently be reenabled (by writing
|
||||
|
|
Loading…
Reference in New Issue