mirror of https://github.com/mkerrisk/man-pages
proc.5: Add some details on /proc/PID/setgroups
And generally rework the text. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
c06e4b9664
commit
de04dd4df3
61
man5/proc.5
61
man5/proc.5
|
@ -1208,24 +1208,61 @@ are not available if the main thread has already terminated
|
||||||
.\" CONFIG_SCHEDSTATS
|
.\" CONFIG_SCHEDSTATS
|
||||||
.TP
|
.TP
|
||||||
.IR /proc/[pid]/setgroups " (since Linux 3.19)"
|
.IR /proc/[pid]/setgroups " (since Linux 3.19)"
|
||||||
This file reports
|
.\"
|
||||||
.BR allow
|
.\" commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
|
||||||
|
.\" commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
|
||||||
|
.\" http://lwn.net/Articles/626665/
|
||||||
|
.\" http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8989
|
||||||
|
.\"
|
||||||
|
This file displays the string
|
||||||
|
.RI \(dq allow \(dq
|
||||||
if the
|
if the
|
||||||
.BR setgroups (2)
|
.BR setgroups (2)
|
||||||
system call is permitted in the current user namespace, and
|
system call is permitted in the process's user namespace, and
|
||||||
.BR deny
|
.RI \(dq deny \(dq
|
||||||
if
|
if
|
||||||
.BR setgroups (2)
|
.BR setgroups (2)
|
||||||
is not permitted.
|
is not permitted.
|
||||||
Either of the strings
|
A privileged process (one with the
|
||||||
.BR allow
|
.BR CAP_SYS_ADMIN
|
||||||
and
|
capability in the namespace)
|
||||||
.BR deny
|
.\" Should it be "parent namespace" in the line above?
|
||||||
may be written to this file before
|
may write either of the strings
|
||||||
|
.RI \(dq allow \(dq
|
||||||
|
or
|
||||||
|
.RI \(dq deny \(dq
|
||||||
|
to this file before writing a group ID mapping
|
||||||
|
for this user namespace to the file
|
||||||
|
.IR /proc/[pid]/gid_map .
|
||||||
|
The default value of this file in the initial user namesapce is
|
||||||
|
.RI " allow ".
|
||||||
|
|
||||||
|
Once
|
||||||
.IR /proc/[pid]/gid_map
|
.IR /proc/[pid]/gid_map
|
||||||
is written to (enabling
|
has been written to
|
||||||
.BR setgroups (2))
|
(which has the effect of enabling
|
||||||
in a user namespace.
|
.BR setgroups (2)
|
||||||
|
in the user namespace),
|
||||||
|
it is no longer possible to deny
|
||||||
|
.BR setgroups (2)
|
||||||
|
by writing to
|
||||||
|
.IR /proc/[pid]/setgroups .
|
||||||
|
|
||||||
|
A child user namespace inherits the
|
||||||
|
.IR /proc/[pid]/gid_map
|
||||||
|
setting from its parent.
|
||||||
|
|
||||||
|
If the
|
||||||
|
.I setgroups
|
||||||
|
file has the value
|
||||||
|
.IR \(dq deny \(dq,
|
||||||
|
then the
|
||||||
|
.BR setgroups (2)
|
||||||
|
system call can't subsequently be reenabled (by writing
|
||||||
|
.RI \(dq allow \(dq
|
||||||
|
to the file) in this user namespace.
|
||||||
|
This restriction also propagates down to all child user namespaces of
|
||||||
|
this user namespace.
|
||||||
.TP
|
.TP
|
||||||
.IR /proc/[pid]/smaps " (since Linux 2.6.14)"
|
.IR /proc/[pid]/smaps " (since Linux 2.6.14)"
|
||||||
This file shows memory consumption for each of the process's mappings.
|
This file shows memory consumption for each of the process's mappings.
|
||||||
|
|
Loading…
Reference in New Issue