mirror of https://github.com/mkerrisk/man-pages
mount_namespaces.7: wfix
The correct terminology is "less privileged mount namespace" (not "less privileged user namespace"). Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk
parent
a66648bbd1
commit
aa62e72ded
|
|
@ -1087,12 +1087,12 @@ $ \fBls /mnt/dir\fP # Former contents of directory are invisible
|
|||
.in
|
||||
.RE
|
||||
.IP
|
||||
The above steps, performed in a more privileged user namespace,
|
||||
The above steps, performed in a more privileged mount namespace,
|
||||
have created a (read-only) bind mount that
|
||||
obscures the contents of the directory
|
||||
.IR /mnt/dir .
|
||||
For security reasons, it should not be possible to unmount
|
||||
that mount in a less privileged user namespace,
|
||||
that mount in a less privileged mount namespace,
|
||||
since that would reveal the contents of the directory
|
||||
.IR /mnt/dir .
|
||||
.IP
|
||||
|
|
@ -1101,7 +1101,7 @@ owned by a (new) subordinate user namespace.
|
|||
The new mount namespace will inherit copies of all of the mounts
|
||||
from the previous mount namespace.
|
||||
However, those mounts will be locked because the new mount namespace
|
||||
is owned by a less privileged user namespace.
|
||||
is owned by a less privileged mount namespace.
|
||||
Consequently, an attempt to unmount the mount fails:
|
||||
.IP
|
||||
.RS
|
||||
|
|
@ -1129,9 +1129,8 @@ which is the error that the kernel returns to indicate that
|
|||
the mount is locked.
|
||||
.IP *
|
||||
Following on from the previous point,
|
||||
note that it is possible to unmount an entire
|
||||
tree of mounts that propagated as a unit into a mount namespace
|
||||
that is owned by a less privileged user namespace,
|
||||
note that it is possible to unmount an entire tree of mounts that
|
||||
propagated as a unit into a less privileged mount namespace,
|
||||
as illustrated in the following example.
|
||||
.IP
|
||||
First, we create new user and mount namespaces using
|
||||
|
|
@ -1161,8 +1160,8 @@ ns1# \fBgrep /mnt /proc/self/mountinfo | sed \(aqs/ \- .*//\(aq\fP
|
|||
.in
|
||||
.IP
|
||||
Continuing in the same shell session,
|
||||
we then create a second shell in a new mount namespace and a new subordinate
|
||||
(and thus less privileged) user namespace and
|
||||
we then create a second shell in a new user namespace and a new
|
||||
(less privileged) mount namespace and
|
||||
check the state of the propagated mount points rooted at
|
||||
.IR /mnt .
|
||||
.IP
|
||||
|
|
|
|||
Loading…
Reference in New Issue