LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity
13,232 Commits 1 Branch 197 Tags 93 MiB
Commit Graph

89 Commits

Author SHA1 Message Date
Michael Kerrisk 34bcced069 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-06 22:53:43 +01:00
Michael Kerrisk 690c890a75 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-06 22:44:41 +01:00
Michael Kerrisk 50b49f0b54 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-06 22:43:45 +01:00
Michael Kerrisk 1fc04edfbb user_namespaces.7: tfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-06 22:42:17 +01:00
Michael Kerrisk 31a7d5060a user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-06 22:40:32 +01:00
Michael Kerrisk 6c8571e079 user_namespaces.7: ffix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-06 20:13:57 +01:00
Michael Kerrisk 4990f759aa user_namespaces.7: wspfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-04 15:11:02 +01:00
Michael Kerrisk c38a2a0473 user_namespaces.7: Handle /proc/PID/setgroups in the example program 
Reported-by: Alban Crequy <alban.crequy@gmail.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-04 15:11:02 +01:00
Michael Kerrisk ecb0ff30e8 user_namespaces.7: Explain why the /proc/PID/setgroups file was added 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-04 15:11:02 +01:00
Michael Kerrisk d6add5efa2 user_namespaces.7: Rework test describing restrictions on updating /proc/PID/setgroups 
No (intentional) changes to factual description, but the
restructured text is hopefully easier to grasp.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-04 15:11:02 +01:00
Michael Kerrisk 30b33164cb user_namespaces.7: Rework some text describing permission rules for updating map files 
No (intentional) change to the facts, but this restructuring
should make the meaning easier to grasp.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-04 15:11:02 +01:00
Michael Kerrisk ab28dba9a0 proc.5, user_namespaces.7: Migrate description of /proc/PID/setgroups to user_namespaces(7) 
It makes sense to have the description of this file
in the general discussion of user namespaces.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-04 15:11:02 +01:00
Michael Kerrisk f72de267d9 user_namespaces.7: srcfix: FIXME 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-04 15:11:02 +01:00
Michael Kerrisk 364ce93556 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-04 15:11:02 +01:00
Michael Kerrisk f2d61dbbaa user_namespaces.7: Some tweaks to Eric Biederman's patch 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-04 15:11:02 +01:00
Eric W. Biederman 0c9abe8b8c user_namespaces.7: Update the documentation to reflect the fixes for negative groups 
Files with access permissions such as rwx---rwx give fewer
permissions to their group then they do to everyone else.  Which
means dropping groups with setgroups(0, NULL) actually grants a
process privileges.

The unprivileged setting of gid_map turned out not to be safe
after this change.  Privileged setting of gid_map can be
interpreted as meaning yes it is ok to drop groups. [ Eric
additionally noted: Setting of gid_map with privilege has been
clarified to mean that dropping groups is ok.  This allows
existing programs that set gid_map with privilege to work
without changes.  That is, newgidmap(1) continues to work
unchanged.]

To prevent this problem and future problems, user namespaces were
changed in such a way as to guarantee a user can not obtain
credentials without privilege that they could not obtain without
the help of user namespaces.

This meant testing the effective user ID and not the filesystem
user ID, as setresuid(2) and setregid(2) allow setting any process
UID or GID (except the supplementary groups) to the effective ID.

Furthermore, to preserve in some form the useful applications
that have been setting gid_map without privilege, the file
/proc/[pid]/setgroups was added to allow disabling setgroups(2).
With setgroups(2) permanently disabled in a user namespace, it
again becomes safe to allow writes to gid_map without privilege.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-04 15:10:02 +01:00
Michael Kerrisk 3ef9fdd1a9 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-03 15:49:16 +01:00
Michael Kerrisk 74412268b4 user_namespaces.7: Update kernel version associated with 5-line limit for map files 
As at Linux 3.18, the limit is still five lines, so mention the
more recent kernel version in the text.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-03 13:20:28 +01:00
Michael Kerrisk 374215d5c6 user_namespaces.7: tfix 
Reported-by: Stéphane Aulery <saulery@free.fr>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-03-02 17:22:26 +01:00
Michael Kerrisk 1c3c805bcd user_namespaces.7: tfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-01-16 07:54:02 +01:00
Mike Frysinger dba9ebf2b4 user_namespaces(7): tfix 
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-12-30 22:15:28 +01:00
Mike Frysinger 445d38c9b5 user_namespaces(7): tfix: drop spurious underline 
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-11-11 06:39:06 +01:00
Michael Kerrisk f5d401ddda Removed trailing white space at end of lines 2014-09-21 11:24:24 +02:00
Michael Kerrisk daf084cc33 clone.2, flock.2, getpid.2, getunwind.2, mount.2, reboot.2, semop.2, seteuid.2, setgid.2, setns.2, setresuid.2, setreuid.2, setuid.2, uname.2, unshare.2, clock.3, drand48.3, proc.5, capabilities.7, credentials.7, mq_overview.7, namespaces.7, pid_namespaces.7, svipc.7, user_namespaces.7: tstamp 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-21 11:23:07 +02:00
Michael Kerrisk c228b4b4d1 namespaces.7, pid_namespaces.7, user_namespaces.7: srcfix: Add LICENSE_START tag 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-16 09:05:40 +02:00
Michael Kerrisk 09fcbb82f1 user_namespaces.7: spfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-14 21:29:47 -07:00
Michael Kerrisk 672e7505d6 user_namespaces.7: wfix 
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-14 21:29:47 -07:00
Eric W. Biederman 890a86d330 user_namespaces.7: Clarify the meaning of "Mounts that come as a single unit" 
Quoting Eric Biederman:

The importance of [mounts coming across as a dingle unit] is [to]
allow the global root to mount over things and not have to worry
that someone from a user namespace root can peek underneath.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-14 21:29:47 -07:00
Michael Kerrisk 576233f00e user_namespaces.7: Additions from Andy Lutomirski 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-14 21:29:47 -07:00
Michael Kerrisk 6cfec3d80a user_namespaces.7: Improvements from Andy Lutomirski 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-14 21:29:42 -07:00
Eric W. Biederman b10c74ff25 user_namespaces.7: Add "Restrictions on mount namespaces" section 
Light edits by mtk

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 7aba437aa1 user_namespaces.7: Only single-threaded processes can join another user namespace 
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Serge E. Hallyn 1191a90d12 user_namespaces.7: Improve discussion of handling of capabilities during execve(2) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 11d8ef176b user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 6c21c0f947 user_namespaces.7: Say a little less about execve(2) and user ID mappings 
The existing discussion under user and group ID mappings
probably suffices.

Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 0ea90cb46d user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 99f04bb1e9 user_namespaces.7: Note that user namespaces isolate the root directory 
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk c0d02ab07a user_namespaces.7: XFS support for user namespaces was added in Linux 3.11 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk ed8bd8452c user_namespaces.7: Rework text on filesystem support for user namespaces 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk bc92175773 user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 1005b0062e user_namespaces.7: Remove a confused sentence 
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk e56b6c42d1 user_namespaces.7: Document maximum nesting depth for user namespaces 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 8f99aa89d9 user_namespaces.7: Minor tweaks to example program 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk ab3311aa06 clone.2, namespaces.7, pid_namespaces.7, user_namespaces.7: wfix "file system" ==> "filesystem" 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:02 -07:00
Michael Kerrisk f22abd505d user_namespaces.7: Remove discussion of flags that can't be used with CLONE_NEWUSER 
That information is better put into individual pages.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:02 -07:00
Michael Kerrisk 714e9a7874 user_namespaces.7: Document restrictions on CLONE_NEWUSER with other CLONE_* flags 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:02 -07:00
Michael Kerrisk 63f66893e5 user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:02 -07:00
Michael Kerrisk c3f29a89b5 user_namespaces.7: Move discussion of availability of user namespaces to NOTES 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:02 -07:00
Michael Kerrisk b6462f7519 user_namespaces.7: SEE ALSO: add newgidmap(1), newuidmap(1), subgid(5), subuid(5) 
Pages in the "shadow" package

Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 77f9548830 user_namespaces.7: execve(2) will drop capabilities unless the caller's UID maps to 0 
Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00