LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity
11,721 Commits 1 Branch 197 Tags 93 MiB
Commit Graph

57 Commits

Author SHA1 Message Date
Serge E. Hallyn 1191a90d12 user_namespaces.7: Improve discussion of handling of capabilities during execve(2) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 11d8ef176b user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 6c21c0f947 user_namespaces.7: Say a little less about execve(2) and user ID mappings 
The existing discussion under user and group ID mappings
probably suffices.

Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 0ea90cb46d user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 99f04bb1e9 user_namespaces.7: Note that user namespaces isolate the root directory 
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk c0d02ab07a user_namespaces.7: XFS support for user namespaces was added in Linux 3.11 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk ed8bd8452c user_namespaces.7: Rework text on filesystem support for user namespaces 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk bc92175773 user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 1005b0062e user_namespaces.7: Remove a confused sentence 
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk e56b6c42d1 user_namespaces.7: Document maximum nesting depth for user namespaces 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 8f99aa89d9 user_namespaces.7: Minor tweaks to example program 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk ab3311aa06 clone.2, namespaces.7, pid_namespaces.7, user_namespaces.7: wfix "file system" ==> "filesystem" 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:02 -07:00
Michael Kerrisk f22abd505d user_namespaces.7: Remove discussion of flags that can't be used with CLONE_NEWUSER 
That information is better put into individual pages.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:02 -07:00
Michael Kerrisk 714e9a7874 user_namespaces.7: Document restrictions on CLONE_NEWUSER with other CLONE_* flags 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:02 -07:00
Michael Kerrisk 63f66893e5 user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:02 -07:00
Michael Kerrisk c3f29a89b5 user_namespaces.7: Move discussion of availability of user namespaces to NOTES 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:02 -07:00
Michael Kerrisk b6462f7519 user_namespaces.7: SEE ALSO: add newgidmap(1), newuidmap(1), subgid(5), subuid(5) 
Pages in the "shadow" package

Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 77f9548830 user_namespaces.7: execve(2) will drop capabilities unless the caller's UID maps to 0 
Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 550d1c537c user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 0ac408439b user_namespaces.7: Some subsystems don't support user namespaces in some kernel versions 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 6b92803065 user_namespaces.7: srcfix: Add FIXME 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 3b44624fa4 user_namespaces.7: Minor fixes in various places 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 8a87c8b32f user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 589e43bb00 user_namespaces.7: tfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk d68c5f1184 user_namespaces.7: Clarify some capabilities details 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 0666f549da user_namespaces.7: Note treatment of "securebits" flags 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 37909beed2 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk d916d9d073 user_namespaces.7: Rewrote and reorganized various pieces 
Mainly the pieces on capabilities, nested namespaces
and namespace membership.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk c9195dede4 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 3a9ff754df user_namespaces.7: SEE ALSO: remove unshare(1) (which is mentioned in namespaces(7)) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 96ec9d12e6 user_namespaces.7: Clarify that the child of clone() gets all privileges in new userns 
Nothing special happens for the children of unshare(2).

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk c94eb4a68d user_namespaces.7: Add reference to Documentation/namespaces/resource-control.txt 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk cf7d22a535 user_namespaces.7: Further reworking of text on nested namespaces and capabilities 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk c0098e767d user_namespaces.7: Relocate text on capabilities of initial process in userns 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 20e4a14719 user_namespaces.7: Explain uid_map and gid_map in the initial user namespace 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 3e2a37ec85 user_namespaces.7: Add more detail on unmapped UIDs and GIDs exposed to user space 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 6eda94413b user_namespaces.7: Reorganize various pieces of DESCRIPTION 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 30f3ddd6dd user_namespaces.7: Remove duplicated text on EPERM + mapping required in parent userns 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 1863e45128 user_namespaces.7: Move a misplaced rule re writing to map files 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 8d36d80cc3 user_namespaces.7: Add an example program 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk df23ae04d6 user_namespaces.7: Linux 3.9 provides a better implementation of nonoverlapping map checks 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk e4f4f2e125 user_namespaces.7: Clarify discussion on privileges of child after clone() by UID 0 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 1b3d5347f5 user_namespaces.7: Clarify that rules for writing to map files also apply to gid_map 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 0f069d0c69 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk d45d012859 user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 54ead6d395 user_namespaces.7: Describe effect of mappings in the context of file-system operations 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 4332e54d27 user_namespaces.7: wfix + ffix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 674c23884e user_namespaces.7: Note some interfaces that return overflowuid and overflowgid 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 0df0f26dcc user_namespaces.7: srcfix: remove obsolete FIXME 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 27a6ff6ee6 user_namespaces.7: Describe handling of UIDs+GIDs when passed across a UNIX domain socket 
UIDs and GIDs are mapped to receiver's userns when passed across
a UNIX domain socket

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00