mirror of https://github.com/mkerrisk/man-pages
0c9abe8b8c
Files with access permissions such as rwx---rwx give fewer permissions to their group then they do to everyone else. Which means dropping groups with setgroups(0, NULL) actually grants a process privileges. The unprivileged setting of gid_map turned out not to be safe after this change. Privileged setting of gid_map can be interpreted as meaning yes it is ok to drop groups. [ Eric additionally noted: Setting of gid_map with privilege has been clarified to mean that dropping groups is ok. This allows existing programs that set gid_map with privilege to work without changes. That is, newgidmap(1) continues to work unchanged.] To prevent this problem and future problems, user namespaces were changed in such a way as to guarantee a user can not obtain credentials without privilege that they could not obtain without the help of user namespaces. This meant testing the effective user ID and not the filesystem user ID, as setresuid(2) and setregid(2) allow setting any process UID or GID (except the supplementary groups) to the effective ID. Furthermore, to preserve in some form the useful applications that have been setting gid_map without privilege, the file /proc/[pid]/setgroups was added to allow disabling setgroups(2). With setgroups(2) permanently disabled in a user namespace, it again becomes safe to allow writes to gid_map without privilege. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com> |
||
|---|---|---|
| man1 | ||
| man2 | ||
| man3 | ||
| man4 | ||
| man5 | ||
| man6 | ||
| man7 | ||
| man8 | ||
| scripts | ||
| Changes | ||
| Changes.old | ||
| Makefile | ||
| README | ||
| man-pages-3.82.Announce | ||
| man-pages-3.82.lsm | ||
README
This package contains Linux man pages for sections 2, 3, 4, 5, and 7. Some more information is given in the `Announce' file. Install by copying to your favourite location. "make install" will just copy them to /usr/share/man/man[1-8]. To install to a path different from /usr use "make install prefix=/install/path". "make" will move the pages from this package that are older than the already installed ones to a subdirectory `not_installed', then remove old versions (compressed or not), compress the pages, and copy them to /usr/share/man/man[1-8]. Note that you may have to remove preformatted pages. Note that sometimes these pages are duplicates of pages also distributed in other packages. This has been reported about dlclose.3, dlerror.3, dlopen.3, dlsym.3 (found in ld.so), about resolver.3, resolv.conf.5 (found in bind-utils), and about passwd.5, and mailaddr.7. Be careful not to overwrite more up-to-date versions. Reports on further duplicates are welcome. Formerly present and now removed duplicates: exports.5 (found in nfs-server-2.2*), fstab.5, nfs.5 (found in util-linux-2.12*), lilo.8, lilo.conf.5 (found in lilo-21.6*). Copyrights: These man pages come under various copyrights. All pages are freely distributable when the nroff source is included. If you have corrections and additions to suggest, see http://www.kernel.org/doc/man-pages/contributing.html