aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Kerrisk <mtk.manpages@gmail.com>2013-03-07 10:57:39 +0100
committerMichael Kerrisk <mtk.manpages@gmail.com>2014-09-13 20:16:01 -0700
commitd916d9d0736e1ab974bfc55899f64dc4d912d138 (patch)
treea420ffa3387a8929355affb7dca78ae1cd2d9452
parentc9195dede436f93e744f83b876475b244c00c876 (diff)
downloadman-pages-d916d9d0736e1ab974bfc55899f64dc4d912d138.tar.gz
user_namespaces.7: Rewrote and reorganized various pieces
Mainly the pieces on capabilities, nested namespaces and namespace membership. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat
-rw-r--r--man7/user_namespaces.7153
1 files changed, 101 insertions, 52 deletions
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index 905bcd4832..9dd1630666 100644
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -35,7 +35,7 @@ user IDs and group IDs (see
keys (see
.BR keyctl (2)),
and capabilities (see
-.BR capabilities (7).
+.BR capabilities (7)).
A process's user and group IDs can be different
inside and outside a user namespace.
In particular,
@@ -45,37 +45,120 @@ in other words,
the process has full privileges for operations inside the user namespace,
but is unprivileged for operations outside the namespace.
+Use of user namespaces requires a kernel that is configured with the
+.B CONFIG_USER_NS
+option.
+.\"
+.\" ============================================================
+.\"
+.SS Nested namespaces, namespace membership
+User namespaces can be nested;
+that is, each user namespace\(emexcept the initial ("root")
+namespace\(emhas a parent user namespace,
+and can have zero or more child user namespaces.
+The parent user namespace is the user namespace
+of the process that creates the user namespace via a call to
+.BR unshare (2)
+or
+.BR clone (2)
+with the
+.BR CLONE_NEWUSER
+flag.
+
+Each process is member of exactly one user namespace.
+A process created via
+.BR fork (2)
+or
+.BR clone (2)
+without the
+.BR CLONE_NEWUSER
+flag is a member of the same user namespace as its parent.
+A process can join another user namespace with
+.BR setns (2)
+if it has the
+.BR CAP_SYS_ADMIN
+in that namespace;
+upon doing so, it gains a full set of capabilities in that namespace.
+
+A call to
+.BR clone (2)
+or
+.BR unshare (2)
+with the
+.BR CLONE_NEWUSER
+flag makes the new child process (for
+.BR clone (2))
+or the caller (for
+.BR unshare (2))
+a member of the new user namespace created by the call.
+.\"
+.\" ============================================================
+.\"
+.SS Capabilities
The child process created by
.BR clone (2)
with the
.BR CLONE_NEWUSER
flag starts out with a complete set
of capabilities in the new user namespace.
+Likewise, a process that creates a new user namespace using
+.BR unshare (2)
+or joins an existing user namespace using
+.BR setns (2)
+gains a full set of capabilities in that namespace.
On the other hand,
that process has no capabilities outside that user namespace,
-even if the new namespace is created by the root user.
-(However, a child process created by the root user
+even if the new namespace is created or joined by the root user
+(i.e., a process with user ID 0 in the root namespace).
+(Nevertheless, a process owned by the root user
will be able to access resources such as
files that are owned by user ID 0,
and will be able to do things such as sending signals
to processes belonging to user ID 0.)
-User namespaces can be nested;
-that is, each user namespace\(emexcept the initial ("root")
-namespace\(emhas a parent user namespace,
-and can have zero or more child user namespaces.
-The parent user namespace is the user namespace
-of the process that creates the user namespace via a call to
+Having a capability inside a user namespace
+permits a process to perform operations (that require privilege)
+only on resources governed by that namespace.
+The rules for determining whether or not a process has a capability
+in a particular user namespace are as follows:
+.IP 1. 3
+A process has a capability inside a user namespace
+if it is a member of that namespace and
+it has the capability in its effective capability set.
+A process can gain capabilities in its effective capability
+set in various ways.
+For example, it may execute a set-user-ID program or an
+executable with associated file capabilities.
+In addition,
+a process may gain capabilities via the effect of
+.BR clone (2)
.BR unshare (2)
or
-.BR clone (2)
-with the
-.BR CLONE_NEWUSER
-flag.
-
-Use of user namespaces requires a kernel that is configured with the
-.B CONFIG_USER_NS
-option.
+.BR setns (2),
+as already described.
+.\" In the 3.8 sources, see security/commoncap.c::cap_capable():
+.IP 2.
+If a process has a capability in a user namespace,
+then it has that capability in all child (and further removed descendant)
+namespaces as well.
+.IP 3.
+.\" * The owner of the user namespace in the parent of the
+.\" * user namespace has all caps.
+When a user namespace is created, the kernel records the effective
+user ID of the creating process as being the "owner" of the namespace.
+.\" (and likewise associates the effective group ID of the creating process
+.\" with the namespace).
+A process that resides
+in the parent of the user namespace
+.\" See kernel commit 520d9eabce18edfef76a60b7b839d54facafe1f9 for a fix
+.\" on this point
+and whose effective user ID matches the owner of the namespace
+has all capabilities in the namespace.
+.\" This includes the case where the process executes a set-user-ID
+.\" program that confers the effective UID of the creator of the namespace.
+By virtue of the previous rule,
+this means that the process has all capabilities in all
+further removed descendant user namespaces as well.
.\"
.\" ============================================================
.\"
@@ -108,6 +191,7 @@ or
.BR unshare (2),
the kernel records the user namespace of the creating process against
the new namespace.
+(This association can't be changed.)
When a process in the new namespace subsequently performs
privileged operations that operate on global
resources isolated by the namespace,
@@ -116,41 +200,6 @@ in the user namespace that the kernel associated with the new namespace.
.\"
.\" ============================================================
.\"
-.SS Capabilities
-In the context of (nested) user namespaces,
-a process may have a capability
-because that capability is present in its effective capability set
-(for example, it executed a set-user-ID program that conferred
-capabilities on it or it was the child process of the
-.BR clone (2)
-call that created the namespace)
-or for either of the following reasons:
-.\" In the 3.8 sources, see security/commoncap.c::cap_capable():
-.IP 1. 3
-If a process has a capability in a user namespace,
-then it has that capability in all child (and further removed descendant)
-namespaces as well.
-.IP 2.
-.\" * The owner of the user namespace in the parent of the
-.\" * user namespace has all caps.
-When a user namespace is created, the kernel records the effective
-user ID of the creating process as being the "owner" of the namespace.
-.\" (and likewise associates the effective group ID of the creating process
-.\" with the namespace).
-A process that resides
-in the parent of the user namespace
-.\" See kernel commit 520d9eabce18edfef76a60b7b839d54facafe1f9 for a fix
-.\" on this point
-and whose effective user ID matches the owner of the namespace
-has all capabilities in the namespace.
-.\" This includes the case where the process executes a set-user-ID
-.\" program that confers the effective UID of the creator of the namespace.
-By virtue of the first rule,
-this means that the process has all capabilities in all
-further removed descendant user namespaces as well.
-.\"
-.\" ============================================================
-.\"
.SS User and group ID mappings: uid_map and gid_map
When a user namespace is created,
it starts out without a mapping of user IDs (group IDs)
generated by cgit 1.2.3-korg (git 2.43.0) at 2025-12-01 08:50:12 +0000