proc.5: Tweaks to /proc/PID/setgroups text

After comments from Eric Biederman

Cowritten-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2015-02-12 14:54:18 +01:00
parent f72de267d9
commit a0726dbfdd
1 changed files with 26 additions and 2 deletions

View File

@ -1220,11 +1220,16 @@ if processes in the user namespace that contains the process
.I pid
are permitted to employ the
.BR setgroups (2)
system call, and
system call; it displays
.RI \(dq deny \(dq
if
.BR setgroups (2)
is not permitted in that user namespace.
(Note, however, that calls to
.BR setgroups (2)
are also not permitted if
.IR /proc/[pid]/gid_map
has not yet been set.)
A privileged process (one with the
.BR CAP_SYS_ADMIN
@ -1232,13 +1237,32 @@ capability in the namespace) may write either of the strings
.RI \(dq allow \(dq
or
.RI \(dq deny \(dq
to this file before writing a group ID mapping
to this file
.I before
writing a group ID mapping
for this user namespace to the file
.IR /proc/[pid]/gid_map .
Writing the string
.RI \(dq deny \(dq
prevents any process in the user namespace from employing
.BR setgroups (2).
In other words, it is permitted to write to
.I /proc/[pid]/setgroups
so long as calling
.BR setgroups (2)
is not allowed because
.I /proc/[pid]gid_map
has not been set.
This ensures that a process cannot transition from a state where
.BR setgroups (2)
is allowed to a state where
.BR setgroups (2)
is denied;
a process can only transition from
.BR setgroups (2)
being disallowed to
.BR setgroups (2)
being allowed.
The default value of this file in the initial user namespace is
.RI \(dq allow \(dq.