LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

user_namespaces.7: Some tweaks to Eric Biederman's patch 

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2015-02-02 15:03:52 +01:00
parent 0c9abe8b8c
commit f2d61dbbaa
1 changed files with 39 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
man7/user_namespaces.7
View File

@ -539,10 +539,14 @@ in the user namespace.
The writing process must have the same effective user ID as the process The writing process must have the same effective user ID as the process
that created the user namespace. that created the user namespace.
In the case of In the case of
.I gid_map .IR gid_map ,
the the
.I setgroups .I /proc/[pid]/setgroups
file must have been written to earlier and disabled the setgroups system call. file (see
.BR proc (5))
must have been written to earlier and disabled the
.BR setgroups (2)
system call.
.IP * 3 .IP * 3
The writing process has the The writing process has the
.BR CAP_SETUID .BR CAP_SETUID
@ -557,47 +561,54 @@ Writes that violate the above rules fail with the error
.\" .\"
.\" ============================================================ .\" ============================================================
.\" .\"
.SS Interaction with system calls that change the uid or gid values .SS Interaction with system calls that change process UIDs or GIDs
When in a user namespace where the In a user namespace where the
.I uid_map .I uid_map
or file has not been written, the system calls that change user IDs will fail.
Similarly, if the
.I gid_map .I gid_map
file has not been written the system calls that change user IDs file has not been written, the system calls that change group IDs will fail.
or group IDs respectively will fail. After the After the
.I uid_map .I uid_map
and and
.I gid_map .I gid_map
file have been written only the mapped values may be used in files have been written, only the mapped values may be used in
system calls that change user IDs and group IDs. system calls that change user and group IDs.
For user IDs these system calls include For user IDs, the relevant system calls include
.BR setuid , .BR setuid (2),
.BR setfsuid , .BR setfsuid (2),
.BR setreuid , .BR setreuid (2),
and and
.BR setresuid . .BR setresuid (2).
For group IDs, the relevant system calls include
For group IDs these system calls include .BR setgid (2),
.BR setgid , .BR setfsgid (2),
.BR setfsgid , .BR setregid (2),
.BR setregid , .BR setresgid (2),
.BR setresgid ,
and and
.BR setgroups. .BR setgroups (2).
Writing Writing
.BR deny .RI \(dq deny \(dq
to the to the
.I /proc/[pid]/setgroups .I /proc/[pid]/setgroups
file before writing to file before writing to
.I /proc/[pid]/gid_map .I /proc/[pid]/gid_map
will permanently disable the setgroups system call in a user namespace .\" Things changed in Linux 3.19
and allow writing to .\" commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
.\" commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
.\" http://lwn.net/Articles/626665/
will permanently disable
.BR setgroups (2)
in a user namespace and allow writing to
.I /proc/[pid]/gid_map .I /proc/[pid]/gid_map
without without having the
.BR CAP_SETGID .BR CAP_SETGID
in the parent user namespace. capability in the parent user namespace.
.\"
.\" ============================================================
.\"
.SS Unmapped user and group IDs .SS Unmapped user and group IDs
.PP .PP
There are various places where an unmapped user ID (group ID) There are various places where an unmapped user ID (group ID)