proc.5: Tweaks to /proc/PID/setgroups text

After comments from Eric Biederman Cowritten-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-02-12 14:54:18 +01:00 · 2015-02-12 14:54:18 +01:00 · a0726dbfdd
parent f72de267d9
commit a0726dbfdd
1 changed files with 26 additions and 2 deletions
--- a/man5/proc.5
+++ b/man5/proc.5
@ -1220,11 +1220,16 @@ if processes in the user namespace that contains the process
 .I pid
 are permitted to employ the
 .BR setgroups (2)
-system call, and
+system call; it displays
 .RI \(dq deny \(dq
 if
 .BR setgroups (2)
 is not permitted in that user namespace.
+(Note, however, that calls to
+.BR setgroups (2)
+are also not permitted if
+.IR /proc/[pid]/gid_map
+has not yet been set.)

 A privileged process (one with the
 .BR CAP_SYS_ADMIN
@ -1232,13 +1237,32 @@ capability in the namespace) may write either of the strings
 .RI \(dq allow \(dq
 or
 .RI \(dq deny \(dq
-to this file before writing a group ID mapping
+to this file
+.I before
+writing a group ID mapping
 for this user namespace to the file
 .IR /proc/[pid]/gid_map .
 Writing the string
 .RI \(dq deny \(dq
 prevents any process in the user namespace from employing
 .BR setgroups (2).
+In other words, it is permitted to write to
+.I /proc/[pid]/setgroups
+so long as calling
+.BR setgroups (2)
+is not allowed because
+.I /proc/[pid]gid_map
+has not been set.
+This ensures that a process cannot transition from a state where
+.BR setgroups (2)
+is allowed to a state where
+.BR setgroups (2)
+is denied;
+a process can only transition from
+.BR setgroups (2)
+being disallowed to
+.BR setgroups (2)
+being allowed.

 The default value of this file in the initial user namespace is
 .RI \(dq allow \(dq.