mirror of https://github.com/mkerrisk/man-pages
mount_namespaces.7: wfix
The correct terminology is "less privileged mount namespace" (not "less privileged user namespace"). Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
a66648bbd1
commit
aa62e72ded
|
@ -1087,12 +1087,12 @@ $ \fBls /mnt/dir\fP # Former contents of directory are invisible
|
||||||
.in
|
.in
|
||||||
.RE
|
.RE
|
||||||
.IP
|
.IP
|
||||||
The above steps, performed in a more privileged user namespace,
|
The above steps, performed in a more privileged mount namespace,
|
||||||
have created a (read-only) bind mount that
|
have created a (read-only) bind mount that
|
||||||
obscures the contents of the directory
|
obscures the contents of the directory
|
||||||
.IR /mnt/dir .
|
.IR /mnt/dir .
|
||||||
For security reasons, it should not be possible to unmount
|
For security reasons, it should not be possible to unmount
|
||||||
that mount in a less privileged user namespace,
|
that mount in a less privileged mount namespace,
|
||||||
since that would reveal the contents of the directory
|
since that would reveal the contents of the directory
|
||||||
.IR /mnt/dir .
|
.IR /mnt/dir .
|
||||||
.IP
|
.IP
|
||||||
|
@ -1101,7 +1101,7 @@ owned by a (new) subordinate user namespace.
|
||||||
The new mount namespace will inherit copies of all of the mounts
|
The new mount namespace will inherit copies of all of the mounts
|
||||||
from the previous mount namespace.
|
from the previous mount namespace.
|
||||||
However, those mounts will be locked because the new mount namespace
|
However, those mounts will be locked because the new mount namespace
|
||||||
is owned by a less privileged user namespace.
|
is owned by a less privileged mount namespace.
|
||||||
Consequently, an attempt to unmount the mount fails:
|
Consequently, an attempt to unmount the mount fails:
|
||||||
.IP
|
.IP
|
||||||
.RS
|
.RS
|
||||||
|
@ -1129,9 +1129,8 @@ which is the error that the kernel returns to indicate that
|
||||||
the mount is locked.
|
the mount is locked.
|
||||||
.IP *
|
.IP *
|
||||||
Following on from the previous point,
|
Following on from the previous point,
|
||||||
note that it is possible to unmount an entire
|
note that it is possible to unmount an entire tree of mounts that
|
||||||
tree of mounts that propagated as a unit into a mount namespace
|
propagated as a unit into a less privileged mount namespace,
|
||||||
that is owned by a less privileged user namespace,
|
|
||||||
as illustrated in the following example.
|
as illustrated in the following example.
|
||||||
.IP
|
.IP
|
||||||
First, we create new user and mount namespaces using
|
First, we create new user and mount namespaces using
|
||||||
|
@ -1161,8 +1160,8 @@ ns1# \fBgrep /mnt /proc/self/mountinfo | sed \(aqs/ \- .*//\(aq\fP
|
||||||
.in
|
.in
|
||||||
.IP
|
.IP
|
||||||
Continuing in the same shell session,
|
Continuing in the same shell session,
|
||||||
we then create a second shell in a new mount namespace and a new subordinate
|
we then create a second shell in a new user namespace and a new
|
||||||
(and thus less privileged) user namespace and
|
(less privileged) mount namespace and
|
||||||
check the state of the propagated mount points rooted at
|
check the state of the propagated mount points rooted at
|
||||||
.IR /mnt .
|
.IR /mnt .
|
||||||
.IP
|
.IP
|
||||||
|
|
Loading…
Reference in New Issue