mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Clarify meaning of privilege in a user namespace
Having privilege in a user NS only allows privileged operations on resources governed by that user NS. Many privileged operations relate to resources that have no association with any namespace type, and only processes with privilege in the initial user NS can perform those operations. See https://bugzilla.kernel.org/show_bug.cgi?id=120671 Reported-by: Michał Zegan <webczat_200@poczta.onet.pl> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk
parent
61256f9f75
commit
89070c1a7c
|
|
@ -165,9 +165,6 @@ retaining its user namespace membership by using a pair of
|
|||
calls to move to another user namespace and then return to
|
||||
its original user namespace.
|
||||
|
||||
Having a capability inside a user namespace
|
||||
permits a process to perform operations (that require privilege)
|
||||
only on resources governed by that namespace.
|
||||
The rules for determining whether or not a process has a capability
|
||||
in a particular user namespace are as follows:
|
||||
.IP 1. 3
|
||||
|
|
@ -208,6 +205,24 @@ has all capabilities in the namespace.
|
|||
By virtue of the previous rule,
|
||||
this means that the process has all capabilities in all
|
||||
further removed descendant user namespaces as well.
|
||||
.PP
|
||||
Having a capability inside a user namespace
|
||||
permits a process to perform operations (that require privilege)
|
||||
only on resources governed by that namespace.
|
||||
In other words, having a capability in a user namespace permits a process
|
||||
to perform privileged operations on resources that are governed by (nonuser)
|
||||
namespaces associated with the user namespace (see the next subsection).
|
||||
On the other hand, there are many privileged operations that affect
|
||||
resources that are not associated with any namespace type,
|
||||
for example, changing the system time (governed by
|
||||
.BR CAP_SYS_TIME ),
|
||||
loading a kernel module (governed by
|
||||
.BR CAP_SYS_MODULE ),
|
||||
and creating a device (governed by
|
||||
.BR CAP_MKNOD ).
|
||||
Only a process with privileges in the
|
||||
.I initial
|
||||
user namespace can perform such operations.
|
||||
.\"
|
||||
.\" ============================================================
|
||||
.\"
|
||||
|
|
|
|||
Loading…
Reference in New Issue