mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: srcfix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
54ead6d395
commit
d45d012859
|
@ -53,18 +53,18 @@ of the process that creates the user namespace via a call to
|
|||
.BR unshare (2)
|
||||
or
|
||||
.BR clone (2)
|
||||
with the
|
||||
with the
|
||||
.BR CLONE_NEWUSER
|
||||
flag.
|
||||
|
||||
The first process in a user namespace starts out with a complete set
|
||||
of capabilities with respect to the new user namespace.
|
||||
of capabilities with respect to the new user namespace.
|
||||
On the other hand, that process has no capabilities in the outside
|
||||
that user namespace.
|
||||
Even if the new namespace is created by the root
|
||||
user, the initial process will have no capabilities outside the
|
||||
new user namespace.
|
||||
(However, that process will be able to access resources such as
|
||||
(However, that process will be able to access resources such as
|
||||
files that are owned by user ID 0,
|
||||
and will be able to do things such as sending signals
|
||||
to processes belonging to user ID 0.)
|
||||
|
@ -73,7 +73,7 @@ When a user namespace is created,
|
|||
it starts out without a mapping of user IDs (group IDs)
|
||||
to the parent user namespace.
|
||||
The desired mapping of user IDs (group IDs) to the parent user namespace
|
||||
may be set by writing into
|
||||
may be set by writing into
|
||||
.IR /proc/[pid]/uid_map
|
||||
.RI ( /proc/[pid]/gid_map );
|
||||
see below.
|
||||
|
@ -145,7 +145,7 @@ namespaces created by the call.
|
|||
Thus, it is possible for an unprivileged caller to specify this combination
|
||||
of flags.
|
||||
|
||||
When a new IPC, mount, network, PID, or UTS namespace is created via
|
||||
When a new IPC, mount, network, PID, or UTS namespace is created via
|
||||
.BR clone (2)
|
||||
or
|
||||
.BR unshare (2),
|
||||
|
@ -177,14 +177,14 @@ user ID of the creating process as being the "owner" of the namespace
|
|||
(and likewise associates the effective group ID of the creating process
|
||||
with the namespace).
|
||||
.IP
|
||||
A process whose effective user ID matches that of the
|
||||
A process whose effective user ID matches that of the
|
||||
owner of a user namespace and which is a member of the parent namespace
|
||||
has all capabilities in the user namespace.
|
||||
By virtue of the first rule,
|
||||
this means that the process has all capabilities in all
|
||||
further removed descendant user namespaces as well.
|
||||
.\" As a rough approximation, this means that
|
||||
.\" the user who creates a user namespace
|
||||
.\" the user who creates a user namespace
|
||||
.\" has all capabilities inside that namespace and its descendants.
|
||||
.\"
|
||||
.\" ============================================================
|
||||
|
@ -229,7 +229,7 @@ user IDs between two user namespaces.
|
|||
(When a user namespace is first created, this file is empty.)
|
||||
The specification in each line takes the form of
|
||||
three numbers delimited by white space.
|
||||
The first two numbers specify the starting user ID in
|
||||
The first two numbers specify the starting user ID in
|
||||
each user namespace.
|
||||
The third number specifies the length of the mapped range.
|
||||
In detail, the fields are interpreted as follows:
|
||||
|
@ -275,7 +275,7 @@ After the creation of a new user namespace, the
|
|||
.I uid_map
|
||||
file of
|
||||
.I one
|
||||
of the process in the namespace may be written to
|
||||
of the process in the namespace may be written to
|
||||
.I once
|
||||
to define the mapping of user IDs in the new user namespace.
|
||||
(An attempt to write more than once to a
|
||||
|
@ -307,7 +307,7 @@ can't be used to write to nonzero offsets in the file).
|
|||
.IP *
|
||||
The range of user IDs specified in each line cannot overlap with the ranges
|
||||
in any other lines.
|
||||
In the current implementation (Linux 3.8), this requirement is
|
||||
In the current implementation (Linux 3.8), this requirement is
|
||||
satisfied by a simplistic implementation that imposes the further
|
||||
requirement that
|
||||
the values in both field 1 and field 2 of successive lines must be
|
||||
|
@ -374,7 +374,7 @@ but the process's effective user (group) ID is left unchanged.
|
|||
(This mirrors the semantics of executing a set-user-ID or set-group-ID
|
||||
program that resides on a file system that was mounted with the
|
||||
.BR MS_NOSUID
|
||||
flag (see
|
||||
flag (see
|
||||
.BR mount (2).)
|
||||
.SH CONFORMING TO
|
||||
Namespaces are a Linux-specific feature.
|
||||
|
|
Loading…
Reference in New Issue