diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2018-07-05 12:23:34 +0200 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2018-07-05 18:38:14 +0200 |
| commit | ae636827e63b36430debd750f7c4acb2df65a1bb (patch) | |
| tree | 2c811d195ed3a758fa8a516bf9c23a0d69f50329 | |
| parent | e96ad1fd4546f4058d6cd2ec4ba80063df48330d (diff) | |
| download | man-pages-ae636827e63b36430debd750f7c4acb2df65a1bb.tar.gz | |
proc.5: Fix description of /proc/PID/* ownership to account for user namespaces
Starting in Linux 4.11, if the process dumpable attribute is
not 1 and the process resides in a noninitial namespaces that
has valid mappings for UID 0 and GID 0, then the ownership of
/proc/PID/* is made the same as the root IDs of the namespace.
Determined by inspection of fs/proc/base.c
See also the following kernel commit:
commit 68eb94f16227336a5773b83ecfa8290f1d6b78ce
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Tue Jan 3 10:23:11 2017 +1300
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
| -rw-r--r-- | man5/proc.5 | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/man5/proc.5 b/man5/proc.5 index 39399a3fac..e59bd33909 100644 --- a/man5/proc.5 +++ b/man5/proc.5 @@ -173,6 +173,20 @@ However, as a security measure, the ownership is made .IR root:root if the process's "dumpable" attribute is set to a value other than 1. .IP +Before Linux 4.11, +.\" commit 68eb94f16227336a5773b83ecfa8290f1d6b78ce +.IR root:root +meant the "global" root user ID and group ID +(i.e., UID 0 and GID 0 in the initial user namespace). +Since Linux 4.11, +if the process is in a noninitial user namespace that has a +valid mapping for user (group) ID 0 inside the namespace, then +the user (group) ownership of the files under +.I /proc/[pid] +is instead made the same as the root user (group) ID of the namespace. +This means that inside a container, +things work as expected for the container "root" user. +.IP The process's "dumpable" attribute may change for the following reasons: .RS .IP * 3 |