user_namespaces.7: execve(2) will drop capabilities unless the caller's UID maps to 0

Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2013-03-21 16:47:47 +01:00 · 2013-03-21 16:47:47 +01:00 · 77f9548830
parent 550d1c537c
commit 77f9548830
1 changed files with 11 additions and 0 deletions
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@ -134,6 +134,17 @@ files that are owned by user ID 0,
 and will be able to do things such as sending signals
 to processes belonging to user ID 0.

+Note that a call to
+.BR execve (2)
+will cause a process to lose any capabilities that it has,
+unless it has a user ID of 0 within the namespace.
+Thus, before calling
+.BR execve (2),
+a user ID mapping for ID 0 must be defined,
+and the caller may also need to use
+.BR setuid (2)
+or similar to set its user ID to 0.
+
 A call to 
 .BR clone (2),
 .BR unshare (2),