aboutsummaryrefslogtreecommitdiffstats
path: root/man5/proc.5
diff options
context:
space:
mode:
authorMichael Kerrisk <mtk.manpages@gmail.com>2015-03-04 10:46:14 +0100
committerMichael Kerrisk <mtk.manpages@gmail.com>2015-03-04 15:11:02 +0100
commitab28dba9a0642c5446ada99bddefef5b16ad0ce1 (patch)
treed5022f2a8e9c50f347752bf108136912386dca78 /man5/proc.5
parent4e2683f9a383e90807d99d461dcbe4aef88a9a9c (diff)
downloadman-pages-ab28dba9a0642c5446ada99bddefef5b16ad0ce1.tar.gz
proc.5, user_namespaces.7: Migrate description of /proc/PID/setgroups to user_namespaces(7)
It makes sense to have the description of this file in the general discussion of user namespaces. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man5/proc.5')
-rw-r--r--man5/proc.587
1 files changed, 2 insertions, 85 deletions
diff --git a/man5/proc.5 b/man5/proc.5
index 4ab196fa87..6969e3e74f 100644
--- a/man5/proc.5
+++ b/man5/proc.5
@@ -1208,91 +1208,8 @@ are not available if the main thread has already terminated
.\" CONFIG_SCHEDSTATS
.TP
.IR /proc/[pid]/setgroups " (since Linux 3.19)"
-.\"
-.\" commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
-.\" commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
-.\" http://lwn.net/Articles/626665/
-.\" http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8989
-.\"
-This file displays the string
-.RI \(dq allow \(dq
-if processes in the user namespace that contains the process
-.I pid
-are permitted to employ the
-.BR setgroups (2)
-system call; it displays
-.RI \(dq deny \(dq
-if
-.BR setgroups (2)
-is not permitted in that user namespace.
-(Note, however, that calls to
-.BR setgroups (2)
-are also not permitted if
-.IR /proc/[pid]/gid_map
-has not yet been set.)
-
-A privileged process (one with the
-.BR CAP_SYS_ADMIN
-capability in the namespace) may write either of the strings
-.RI \(dq allow \(dq
-or
-.RI \(dq deny \(dq
-to this file
-.I before
-writing a group ID mapping
-for this user namespace to the file
-.IR /proc/[pid]/gid_map .
-Writing the string
-.RI \(dq deny \(dq
-prevents any process in the user namespace from employing
-.BR setgroups (2).
-In other words, it is permitted to write to
-.I /proc/[pid]/setgroups
-so long as calling
-.BR setgroups (2)
-is not allowed because
-.I /proc/[pid]gid_map
-has not been set.
-This ensures that a process cannot transition from a state where
-.BR setgroups (2)
-is allowed to a state where
-.BR setgroups (2)
-is denied;
-a process can only transition from
-.BR setgroups (2)
-being disallowed to
-.BR setgroups (2)
-being allowed.
-
-The default value of this file in the initial user namespace is
-.RI \(dq allow \(dq.
-
-Once
-.IR /proc/[pid]/gid_map
-has been written to
-(which has the effect of enabling
-.BR setgroups (2)
-in the user namespace),
-it is no longer possible to deny
-.BR setgroups (2)
-by writing to
-.IR /proc/[pid]/setgroups .
-
-A child user namespace inherits the
-.IR /proc/[pid]/gid_map
-setting from its parent.
-
-If the
-.I setgroups
-file has the value
-.RI \(dq deny \(dq,
-then the
-.BR setgroups (2)
-system call can't subsequently be reenabled (by writing
-.RI \(dq allow \(dq
-to the file) in this user namespace.
-This restriction also propagates down to all child user namespaces of
-this user namespace.
+See
+.BR user_namespaces (7).
.TP
.IR /proc/[pid]/smaps " (since Linux 2.6.14)"
This file shows memory consumption for each of the process's mappings.