mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Some tweaks to Eric Biederman's patch
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
0c9abe8b8c
commit
f2d61dbbaa
|
@ -539,10 +539,14 @@ in the user namespace.
|
||||||
The writing process must have the same effective user ID as the process
|
The writing process must have the same effective user ID as the process
|
||||||
that created the user namespace.
|
that created the user namespace.
|
||||||
In the case of
|
In the case of
|
||||||
.I gid_map
|
.IR gid_map ,
|
||||||
the
|
the
|
||||||
.I setgroups
|
.I /proc/[pid]/setgroups
|
||||||
file must have been written to earlier and disabled the setgroups system call.
|
file (see
|
||||||
|
.BR proc (5))
|
||||||
|
must have been written to earlier and disabled the
|
||||||
|
.BR setgroups (2)
|
||||||
|
system call.
|
||||||
.IP * 3
|
.IP * 3
|
||||||
The writing process has the
|
The writing process has the
|
||||||
.BR CAP_SETUID
|
.BR CAP_SETUID
|
||||||
|
@ -557,47 +561,54 @@ Writes that violate the above rules fail with the error
|
||||||
.\"
|
.\"
|
||||||
.\" ============================================================
|
.\" ============================================================
|
||||||
.\"
|
.\"
|
||||||
.SS Interaction with system calls that change the uid or gid values
|
.SS Interaction with system calls that change process UIDs or GIDs
|
||||||
When in a user namespace where the
|
In a user namespace where the
|
||||||
.I uid_map
|
.I uid_map
|
||||||
or
|
file has not been written, the system calls that change user IDs will fail.
|
||||||
|
Similarly, if the
|
||||||
.I gid_map
|
.I gid_map
|
||||||
file has not been written the system calls that change user IDs
|
file has not been written, the system calls that change group IDs will fail.
|
||||||
or group IDs respectively will fail. After the
|
After the
|
||||||
.I uid_map
|
.I uid_map
|
||||||
and
|
and
|
||||||
.I gid_map
|
.I gid_map
|
||||||
file have been written only the mapped values may be used in
|
files have been written, only the mapped values may be used in
|
||||||
system calls that change user IDs and group IDs.
|
system calls that change user and group IDs.
|
||||||
|
|
||||||
For user IDs these system calls include
|
For user IDs, the relevant system calls include
|
||||||
.BR setuid ,
|
.BR setuid (2),
|
||||||
.BR setfsuid ,
|
.BR setfsuid (2),
|
||||||
.BR setreuid ,
|
.BR setreuid (2),
|
||||||
and
|
and
|
||||||
.BR setresuid .
|
.BR setresuid (2).
|
||||||
|
For group IDs, the relevant system calls include
|
||||||
For group IDs these system calls include
|
.BR setgid (2),
|
||||||
.BR setgid ,
|
.BR setfsgid (2),
|
||||||
.BR setfsgid ,
|
.BR setregid (2),
|
||||||
.BR setregid ,
|
.BR setresgid (2),
|
||||||
.BR setresgid ,
|
|
||||||
and
|
and
|
||||||
.BR setgroups.
|
.BR setgroups (2).
|
||||||
|
|
||||||
Writing
|
Writing
|
||||||
.BR deny
|
.RI \(dq deny \(dq
|
||||||
to the
|
to the
|
||||||
.I /proc/[pid]/setgroups
|
.I /proc/[pid]/setgroups
|
||||||
file before writing to
|
file before writing to
|
||||||
.I /proc/[pid]/gid_map
|
.I /proc/[pid]/gid_map
|
||||||
will permanently disable the setgroups system call in a user namespace
|
.\" Things changed in Linux 3.19
|
||||||
and allow writing to
|
.\" commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
|
||||||
|
.\" commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
|
||||||
|
.\" http://lwn.net/Articles/626665/
|
||||||
|
will permanently disable
|
||||||
|
.BR setgroups (2)
|
||||||
|
in a user namespace and allow writing to
|
||||||
.I /proc/[pid]/gid_map
|
.I /proc/[pid]/gid_map
|
||||||
without
|
without having the
|
||||||
.BR CAP_SETGID
|
.BR CAP_SETGID
|
||||||
in the parent user namespace.
|
capability in the parent user namespace.
|
||||||
|
.\"
|
||||||
|
.\" ============================================================
|
||||||
|
.\"
|
||||||
.SS Unmapped user and group IDs
|
.SS Unmapped user and group IDs
|
||||||
.PP
|
.PP
|
||||||
There are various places where an unmapped user ID (group ID)
|
There are various places where an unmapped user ID (group ID)
|
||||||
|
|
Loading…
Reference in New Issue