From a2b1485b5fc783f09e54eb7fee2effa8e16189bc Mon Sep 17 00:00:00 2001 From: Stephan Bergmann Date: Wed, 3 May 2017 19:14:29 +0200 Subject: [PATCH] user_namespaces.7: Fixes to example While toying around with the userns_child_exec example program on the user_namespaces(7) man page, I noticed two things: * In the EXAMPLE section, we need to mount the new /proc before looking at /proc/$$/status, otherwise the latter will print information about the outer namespace's PID 1 (i.e., the real init). So the two paragraphs need to be swapped. * In the program source, make sure to close pipe_fd[0] in the child before exec'ing. Signed-off-by: Michael Kerrisk --- man7/user_namespaces.7 | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index a7a892409..0ee46457f 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -970,22 +970,6 @@ bash$ \fBecho $$\fP 1 .fi .in - -Inside the user namespace, the shell has user and group ID 0, -and a full set of permitted and effective capabilities: - -.in +4n -.nf -bash$ \fBcat /proc/$$/status | egrep '^[UG]id'\fP -Uid: 0 0 0 0 -Gid: 0 0 0 0 -bash$ \fBcat /proc/$$/status | egrep '^Cap(Prm|Inh|Eff)'\fP -CapInh: 0000000000000000 -CapPrm: 0000001fffffffff -CapEff: 0000001fffffffff -.fi -.in - Mounting a new .I /proc filesystem and listing all of the processes visible @@ -1001,6 +985,21 @@ bash$ \fBps ax\fP 22 pts/3 R+ 0:00 ps ax .fi .in + +Inside the user namespace, the shell has user and group ID 0, +and a full set of permitted and effective capabilities: + +.in +4n +.nf +bash$ \fBcat /proc/$$/status | egrep '^[UG]id'\fP +Uid: 0 0 0 0 +Gid: 0 0 0 0 +bash$ \fBcat /proc/$$/status | egrep '^Cap(Prm|Inh|Eff)'\fP +CapInh: 0000000000000000 +CapPrm: 0000001fffffffff +CapEff: 0000001fffffffff +.fi +.in .SS Program source \& .nf @@ -1178,6 +1177,8 @@ childFunc(void *arg) exit(EXIT_FAILURE); } + close(args\->pipe_fd[0]); + /* Execute a shell command */ printf("About to exec %s\\n", args\->argv[0]);