mirror of https://github.com/mkerrisk/man-pages
proc.5: Tweaks to /proc/PID/setgroups text
After comments from Eric Biederman Cowritten-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
f72de267d9
commit
a0726dbfdd
28
man5/proc.5
28
man5/proc.5
|
@ -1220,11 +1220,16 @@ if processes in the user namespace that contains the process
|
||||||
.I pid
|
.I pid
|
||||||
are permitted to employ the
|
are permitted to employ the
|
||||||
.BR setgroups (2)
|
.BR setgroups (2)
|
||||||
system call, and
|
system call; it displays
|
||||||
.RI \(dq deny \(dq
|
.RI \(dq deny \(dq
|
||||||
if
|
if
|
||||||
.BR setgroups (2)
|
.BR setgroups (2)
|
||||||
is not permitted in that user namespace.
|
is not permitted in that user namespace.
|
||||||
|
(Note, however, that calls to
|
||||||
|
.BR setgroups (2)
|
||||||
|
are also not permitted if
|
||||||
|
.IR /proc/[pid]/gid_map
|
||||||
|
has not yet been set.)
|
||||||
|
|
||||||
A privileged process (one with the
|
A privileged process (one with the
|
||||||
.BR CAP_SYS_ADMIN
|
.BR CAP_SYS_ADMIN
|
||||||
|
@ -1232,13 +1237,32 @@ capability in the namespace) may write either of the strings
|
||||||
.RI \(dq allow \(dq
|
.RI \(dq allow \(dq
|
||||||
or
|
or
|
||||||
.RI \(dq deny \(dq
|
.RI \(dq deny \(dq
|
||||||
to this file before writing a group ID mapping
|
to this file
|
||||||
|
.I before
|
||||||
|
writing a group ID mapping
|
||||||
for this user namespace to the file
|
for this user namespace to the file
|
||||||
.IR /proc/[pid]/gid_map .
|
.IR /proc/[pid]/gid_map .
|
||||||
Writing the string
|
Writing the string
|
||||||
.RI \(dq deny \(dq
|
.RI \(dq deny \(dq
|
||||||
prevents any process in the user namespace from employing
|
prevents any process in the user namespace from employing
|
||||||
.BR setgroups (2).
|
.BR setgroups (2).
|
||||||
|
In other words, it is permitted to write to
|
||||||
|
.I /proc/[pid]/setgroups
|
||||||
|
so long as calling
|
||||||
|
.BR setgroups (2)
|
||||||
|
is not allowed because
|
||||||
|
.I /proc/[pid]gid_map
|
||||||
|
has not been set.
|
||||||
|
This ensures that a process cannot transition from a state where
|
||||||
|
.BR setgroups (2)
|
||||||
|
is allowed to a state where
|
||||||
|
.BR setgroups (2)
|
||||||
|
is denied;
|
||||||
|
a process can only transition from
|
||||||
|
.BR setgroups (2)
|
||||||
|
being disallowed to
|
||||||
|
.BR setgroups (2)
|
||||||
|
being allowed.
|
||||||
|
|
||||||
The default value of this file in the initial user namespace is
|
The default value of this file in the initial user namespace is
|
||||||
.RI \(dq allow \(dq.
|
.RI \(dq allow \(dq.
|
||||||
|
|
Loading…
Reference in New Issue