mirror of https://github.com/mkerrisk/man-pages
proc.5, user_namespaces.7: Migrate description of /proc/PID/setgroups to user_namespaces(7)
It makes sense to have the description of this file in the general discussion of user namespaces. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
4e2683f9a3
commit
ab28dba9a0
87
man5/proc.5
87
man5/proc.5
|
@ -1208,91 +1208,8 @@ are not available if the main thread has already terminated
|
||||||
.\" CONFIG_SCHEDSTATS
|
.\" CONFIG_SCHEDSTATS
|
||||||
.TP
|
.TP
|
||||||
.IR /proc/[pid]/setgroups " (since Linux 3.19)"
|
.IR /proc/[pid]/setgroups " (since Linux 3.19)"
|
||||||
.\"
|
See
|
||||||
.\" commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
|
.BR user_namespaces (7).
|
||||||
.\" commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
|
|
||||||
.\" http://lwn.net/Articles/626665/
|
|
||||||
.\" http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8989
|
|
||||||
.\"
|
|
||||||
This file displays the string
|
|
||||||
.RI \(dq allow \(dq
|
|
||||||
if processes in the user namespace that contains the process
|
|
||||||
.I pid
|
|
||||||
are permitted to employ the
|
|
||||||
.BR setgroups (2)
|
|
||||||
system call; it displays
|
|
||||||
.RI \(dq deny \(dq
|
|
||||||
if
|
|
||||||
.BR setgroups (2)
|
|
||||||
is not permitted in that user namespace.
|
|
||||||
(Note, however, that calls to
|
|
||||||
.BR setgroups (2)
|
|
||||||
are also not permitted if
|
|
||||||
.IR /proc/[pid]/gid_map
|
|
||||||
has not yet been set.)
|
|
||||||
|
|
||||||
A privileged process (one with the
|
|
||||||
.BR CAP_SYS_ADMIN
|
|
||||||
capability in the namespace) may write either of the strings
|
|
||||||
.RI \(dq allow \(dq
|
|
||||||
or
|
|
||||||
.RI \(dq deny \(dq
|
|
||||||
to this file
|
|
||||||
.I before
|
|
||||||
writing a group ID mapping
|
|
||||||
for this user namespace to the file
|
|
||||||
.IR /proc/[pid]/gid_map .
|
|
||||||
Writing the string
|
|
||||||
.RI \(dq deny \(dq
|
|
||||||
prevents any process in the user namespace from employing
|
|
||||||
.BR setgroups (2).
|
|
||||||
In other words, it is permitted to write to
|
|
||||||
.I /proc/[pid]/setgroups
|
|
||||||
so long as calling
|
|
||||||
.BR setgroups (2)
|
|
||||||
is not allowed because
|
|
||||||
.I /proc/[pid]gid_map
|
|
||||||
has not been set.
|
|
||||||
This ensures that a process cannot transition from a state where
|
|
||||||
.BR setgroups (2)
|
|
||||||
is allowed to a state where
|
|
||||||
.BR setgroups (2)
|
|
||||||
is denied;
|
|
||||||
a process can only transition from
|
|
||||||
.BR setgroups (2)
|
|
||||||
being disallowed to
|
|
||||||
.BR setgroups (2)
|
|
||||||
being allowed.
|
|
||||||
|
|
||||||
The default value of this file in the initial user namespace is
|
|
||||||
.RI \(dq allow \(dq.
|
|
||||||
|
|
||||||
Once
|
|
||||||
.IR /proc/[pid]/gid_map
|
|
||||||
has been written to
|
|
||||||
(which has the effect of enabling
|
|
||||||
.BR setgroups (2)
|
|
||||||
in the user namespace),
|
|
||||||
it is no longer possible to deny
|
|
||||||
.BR setgroups (2)
|
|
||||||
by writing to
|
|
||||||
.IR /proc/[pid]/setgroups .
|
|
||||||
|
|
||||||
A child user namespace inherits the
|
|
||||||
.IR /proc/[pid]/gid_map
|
|
||||||
setting from its parent.
|
|
||||||
|
|
||||||
If the
|
|
||||||
.I setgroups
|
|
||||||
file has the value
|
|
||||||
.RI \(dq deny \(dq,
|
|
||||||
then the
|
|
||||||
.BR setgroups (2)
|
|
||||||
system call can't subsequently be reenabled (by writing
|
|
||||||
.RI \(dq allow \(dq
|
|
||||||
to the file) in this user namespace.
|
|
||||||
This restriction also propagates down to all child user namespaces of
|
|
||||||
this user namespace.
|
|
||||||
.TP
|
.TP
|
||||||
.IR /proc/[pid]/smaps " (since Linux 2.6.14)"
|
.IR /proc/[pid]/smaps " (since Linux 2.6.14)"
|
||||||
This file shows memory consumption for each of the process's mappings.
|
This file shows memory consumption for each of the process's mappings.
|
||||||
|
|
|
@ -542,9 +542,7 @@ In the case of
|
||||||
.IR gid_map ,
|
.IR gid_map ,
|
||||||
the
|
the
|
||||||
.I /proc/[pid]/setgroups
|
.I /proc/[pid]/setgroups
|
||||||
file (see
|
file (see below) must have been written to earlier and disabled the
|
||||||
.BR proc (5))
|
|
||||||
must have been written to earlier and disabled the
|
|
||||||
.BR setgroups (2)
|
.BR setgroups (2)
|
||||||
system call.
|
system call.
|
||||||
.IP * 3
|
.IP * 3
|
||||||
|
@ -609,6 +607,97 @@ capability in the parent user namespace.
|
||||||
.\"
|
.\"
|
||||||
.\" ============================================================
|
.\" ============================================================
|
||||||
.\"
|
.\"
|
||||||
|
.SS The /proc/[pid]/setgroups file
|
||||||
|
.\"
|
||||||
|
.\" commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
|
||||||
|
.\" commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
|
||||||
|
.\" http://lwn.net/Articles/626665/
|
||||||
|
.\" http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8989
|
||||||
|
.\"
|
||||||
|
The
|
||||||
|
.I /proc/[pid]/setgroups
|
||||||
|
file displays the string
|
||||||
|
.RI \(dq allow \(dq
|
||||||
|
if processes in the user namespace that contains the process
|
||||||
|
.I pid
|
||||||
|
are permitted to employ the
|
||||||
|
.BR setgroups (2)
|
||||||
|
system call; it displays
|
||||||
|
.RI \(dq deny \(dq
|
||||||
|
if
|
||||||
|
.BR setgroups (2)
|
||||||
|
is not permitted in that user namespace.
|
||||||
|
(Note, however, that calls to
|
||||||
|
.BR setgroups (2)
|
||||||
|
are also not permitted if
|
||||||
|
.IR /proc/[pid]/gid_map
|
||||||
|
has not yet been set.)
|
||||||
|
|
||||||
|
A privileged process (one with the
|
||||||
|
.BR CAP_SYS_ADMIN
|
||||||
|
capability in the namespace) may write either of the strings
|
||||||
|
.RI \(dq allow \(dq
|
||||||
|
or
|
||||||
|
.RI \(dq deny \(dq
|
||||||
|
to this file
|
||||||
|
.I before
|
||||||
|
writing a group ID mapping
|
||||||
|
for this user namespace to the file
|
||||||
|
.IR /proc/[pid]/gid_map .
|
||||||
|
Writing the string
|
||||||
|
.RI \(dq deny \(dq
|
||||||
|
prevents any process in the user namespace from employing
|
||||||
|
.BR setgroups (2).
|
||||||
|
In other words, it is permitted to write to
|
||||||
|
.I /proc/[pid]/setgroups
|
||||||
|
so long as calling
|
||||||
|
.BR setgroups (2)
|
||||||
|
is not allowed because
|
||||||
|
.I /proc/[pid]gid_map
|
||||||
|
has not been set.
|
||||||
|
This ensures that a process cannot transition from a state where
|
||||||
|
.BR setgroups (2)
|
||||||
|
is allowed to a state where
|
||||||
|
.BR setgroups (2)
|
||||||
|
is denied;
|
||||||
|
a process can only transition from
|
||||||
|
.BR setgroups (2)
|
||||||
|
being disallowed to
|
||||||
|
.BR setgroups (2)
|
||||||
|
being allowed.
|
||||||
|
|
||||||
|
The default value of this file in the initial user namespace is
|
||||||
|
.RI \(dq allow \(dq.
|
||||||
|
|
||||||
|
Once
|
||||||
|
.IR /proc/[pid]/gid_map
|
||||||
|
has been written to
|
||||||
|
(which has the effect of enabling
|
||||||
|
.BR setgroups (2)
|
||||||
|
in the user namespace),
|
||||||
|
it is no longer possible to deny
|
||||||
|
.BR setgroups (2)
|
||||||
|
by writing to
|
||||||
|
.IR /proc/[pid]/setgroups .
|
||||||
|
|
||||||
|
A child user namespace inherits the
|
||||||
|
.IR /proc/[pid]/gid_map
|
||||||
|
setting from its parent.
|
||||||
|
|
||||||
|
If the
|
||||||
|
.I setgroups
|
||||||
|
file has the value
|
||||||
|
.RI \(dq deny \(dq,
|
||||||
|
then the
|
||||||
|
.BR setgroups (2)
|
||||||
|
system call can't subsequently be reenabled (by writing
|
||||||
|
.RI \(dq allow \(dq
|
||||||
|
to the file) in this user namespace.
|
||||||
|
This restriction also propagates down to all child user namespaces of
|
||||||
|
this user namespace.
|
||||||
|
.\"
|
||||||
|
.\" ============================================================
|
||||||
|
.\"
|
||||||
.SS Unmapped user and group IDs
|
.SS Unmapped user and group IDs
|
||||||
.PP
|
.PP
|
||||||
There are various places where an unmapped user ID (group ID)
|
There are various places where an unmapped user ID (group ID)
|
||||||
|
|
Loading…
Reference in New Issue