mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: execve(2) will drop capabilities unless the caller's UID maps to 0
Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
550d1c537c
commit
77f9548830
|
@ -134,6 +134,17 @@ files that are owned by user ID 0,
|
|||
and will be able to do things such as sending signals
|
||||
to processes belonging to user ID 0.
|
||||
|
||||
Note that a call to
|
||||
.BR execve (2)
|
||||
will cause a process to lose any capabilities that it has,
|
||||
unless it has a user ID of 0 within the namespace.
|
||||
Thus, before calling
|
||||
.BR execve (2),
|
||||
a user ID mapping for ID 0 must be defined,
|
||||
and the caller may also need to use
|
||||
.BR setuid (2)
|
||||
or similar to set its user ID to 0.
|
||||
|
||||
A call to
|
||||
.BR clone (2),
|
||||
.BR unshare (2),
|
||||
|
|
Loading…
Reference in New Issue