diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2013-02-20 11:11:58 +0100 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2014-09-13 20:15:58 -0700 |
| commit | e4208794219203b890493ebf185b7a6fa9dfab8e (patch) | |
| tree | 9c818b6e7f24c13676f11938718aa684d6f713d6 /man7 | |
| parent | 1879c18c63c7a8109133a82daaf85124fe4aadc6 (diff) | |
| download | man-pages-e4208794219203b890493ebf185b7a6fa9dfab8e.tar.gz | |
namespaces.7: Rewrite EPERM rules for writing to user namespace map file
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man7')
| -rw-r--r-- | man7/namespaces.7 | 40 |
1 files changed, 22 insertions, 18 deletions
diff --git a/man7/namespaces.7 b/man7/namespaces.7 index 6924a3e1fa..27625c9c44 100644 --- a/man7/namespaces.7 +++ b/man7/namespaces.7 @@ -657,32 +657,36 @@ Writes that violate the above rules fail with the error In order for a process to write to the .I /proc/[pid]/uid_map .RI ( /proc/[pid]/gid_map ) -file, the following requirements must be met: -.IP * 3 -The process must have the +file, all of the following requirements must be met: +.IP 1. 3 +The writing process must have the .BR CAP_SETUID .RB ( CAP_SETGID ) capability in the user namespace of the process .IR pid . -.IP * -The process must have the +.IP 2. +The writing process must be in either the user namespace of the process +.I pid +or inside the parent user namespace of the process +.IR pid . +.IP 3. +One of the following is true: +.RS +.IP * 3 +The data written to +.I uid_map +.RI ( gid_map ) +consists of a single line that maps the writing process's file system user ID +(group ID) in the parent user namespace to a user ID (group ID) +in the user namespace. +.IP * 3 +The process has the .BR CAP_SETUID .RB ( CAP_SETGID ) capability in the parent user namespace. -This prevents an unprivileged process from mapping to arbitrary UIDs (GIDs) +Thus, a privileged process can make mappings to arbitrary user ID (group ID) in the parent user namespace. -There is an exception to this requirement: -a process writing to -.I uid_map -.RI ( gid_map ) -is allowed to map any single UID (GID) in it user namespace -to the caller's file system UID (GID) -in the parent user namespace. -.IP * -The process must be in either the user namespace of the process -.I pid -or inside the parent user namespace of the process -.IR pid . +.RE .PP Writes that violate the above rules fail with the error .BR EPERM . |