diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 19:43:11 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 19:43:11 +0000 |
| commit | fc22b3d6507c6745911b9dfcc68f1e665ae13dbc (patch) | |
| tree | ce1e3bce06471410239a6f41282e328770aa404a /templates/man7/user_namespaces.7.pot | |
| parent | Initial commit. (diff) | |
| download | manpages-l10n-fc22b3d6507c6745911b9dfcc68f1e665ae13dbc.tar.xz manpages-l10n-fc22b3d6507c6745911b9dfcc68f1e665ae13dbc.zip | |
Adding upstream version 4.22.0.upstream/4.22.0
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'templates/man7/user_namespaces.7.pot')
| -rw-r--r-- | templates/man7/user_namespaces.7.pot | 2415 |
1 files changed, 2415 insertions, 0 deletions
diff --git a/templates/man7/user_namespaces.7.pot b/templates/man7/user_namespaces.7.pot new file mode 100644 index 00000000..456b4378 --- /dev/null +++ b/templates/man7/user_namespaces.7.pot @@ -0,0 +1,2415 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Free Software Foundation, Inc. +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2024-03-01 17:13+0100\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. type: TH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "user_namespaces" +msgstr "" + +#. type: TH +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "2023-10-31" +msgstr "" + +#. type: TH +#: archlinux fedora-40 fedora-rawhide mageia-cauldron +#, no-wrap +msgid "Linux man-pages 6.06" +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "NAME" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "user_namespaces - overview of Linux user namespaces" +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "DESCRIPTION" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "For an overview of namespaces, see B<namespaces>(7)." +msgstr "" + +# +#. FIXME: This page says very little about the interaction +#. of user namespaces and keys. Add something on this topic. +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"User namespaces isolate security-related identifiers and attributes, in " +"particular, user IDs and group IDs (see B<credentials>(7)), the root " +"directory, keys (see B<keyrings>(7)), and capabilities (see " +"B<capabilities>(7)). A process's user and group IDs can be different inside " +"and outside a user namespace. In particular, a process can have a normal " +"unprivileged user ID outside a user namespace while at the same time having " +"a user ID of 0 inside the namespace; in other words, the process has full " +"privileges for operations inside the user namespace, but is unprivileged for " +"operations outside the namespace." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Nested namespaces, namespace membership" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"User namespaces can be nested; that is, each user namespace\\[em]except the " +"initial (\"root\") namespace\\[em]has a parent user namespace, and can have " +"zero or more child user namespaces. The parent user namespace is the user " +"namespace of the process that creates the user namespace via a call to " +"B<unshare>(2) or B<clone>(2) with the B<CLONE_NEWUSER> flag." +msgstr "" + +#. commit 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 +#. FIXME Explain the rationale for this limit. (What is the rationale?) +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The kernel imposes (since Linux 3.11) a limit of 32 nested levels of user " +"namespaces. Calls to B<unshare>(2) or B<clone>(2) that would cause this " +"limit to be exceeded fail with the error B<EUSERS>." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Each process is a member of exactly one user namespace. A process created " +"via B<fork>(2) or B<clone>(2) without the B<CLONE_NEWUSER> flag is a " +"member of the same user namespace as its parent. A single-threaded process " +"can join another user namespace with B<setns>(2) if it has the " +"B<CAP_SYS_ADMIN> in that namespace; upon doing so, it gains a full set of " +"capabilities in that namespace." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"A call to B<clone>(2) or B<unshare>(2) with the B<CLONE_NEWUSER> flag " +"makes the new child process (for B<clone>(2)) or the caller (for " +"B<unshare>(2)) a member of the new user namespace created by the call." +msgstr "" + +# #-#-#-#-# debian-bookworm: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# +# +#. #-#-#-#-# archlinux: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# +#. type: Plain text +#. #-#-#-#-# debian-bookworm: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# +#. ============================================================ +#. type: Plain text +#. #-#-#-#-# debian-unstable: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# +#. type: Plain text +#. #-#-#-#-# fedora-40: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# +#. type: Plain text +#. #-#-#-#-# fedora-rawhide: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# +#. type: Plain text +#. #-#-#-#-# mageia-cauldron: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# +#. type: Plain text +#. #-#-#-#-# opensuse-leap-15-6: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# +#. type: Plain text +#. #-#-#-#-# opensuse-tumbleweed: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The B<NS_GET_PARENT> B<ioctl>(2) operation can be used to discover the " +"parental relationship between user namespaces; see B<ioctl_ns>(2)." +msgstr "" + +# +#. ============================================================ +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"A task that changes one of its effective IDs will have its dumpability reset " +"to the value in I</proc/sys/fs/suid_dumpable>. This may affect the " +"ownership of proc files of child processes and may thus cause the parent to " +"lack the permissions to write to mapping files of child processes running in " +"a new user namespace. In such cases making the parent process dumpable, " +"using B<PR_SET_DUMPABLE> in a call to B<prctl>(2), before creating a child " +"process in a new user namespace may rectify this problem. See B<prctl>(2) " +"and B<proc>(5) for details on how ownership is affected." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Capabilities" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The child process created by B<clone>(2) with the B<CLONE_NEWUSER> flag " +"starts out with a complete set of capabilities in the new user namespace. " +"Likewise, a process that creates a new user namespace using B<unshare>(2) " +"or joins an existing user namespace using B<setns>(2) gains a full set of " +"capabilities in that namespace. On the other hand, that process has no " +"capabilities in the parent (in the case of B<clone>(2)) or previous (in the " +"case of B<unshare>(2) and B<setns>(2)) user namespace, even if the new " +"namespace is created or joined by the root user (i.e., a process with user " +"ID 0 in the root namespace)." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Note that a call to B<execve>(2) will cause a process's capabilities to be " +"recalculated in the usual way (see B<capabilities>(7)). Consequently, " +"unless the process has a user ID of 0 within the namespace, or the " +"executable file has a nonempty inheritable capabilities mask, the process " +"will lose all capabilities. See the discussion of user and group ID " +"mappings, below." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"A call to B<clone>(2) or B<unshare>(2) using the B<CLONE_NEWUSER> flag or " +"a call to B<setns>(2) that moves the caller into another user namespace " +"sets the \"securebits\" flags (see B<capabilities>(7)) to their default " +"values (all flags disabled) in the child (for B<clone>(2)) or caller (for " +"B<unshare>(2) or B<setns>(2)). Note that because the caller no longer has " +"capabilities in its original user namespace after a call to B<setns>(2), it " +"is not possible for a process to reset its \"securebits\" flags while " +"retaining its user namespace membership by using a pair of B<setns>(2) " +"calls to move to another user namespace and then return to its original user " +"namespace." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The rules for determining whether or not a process has a capability in a " +"particular user namespace are as follows:" +msgstr "" + +#. type: IP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "\\[bu]" +msgstr "" + +#. In the 3.8 sources, see security/commoncap.c::cap_capable(): +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"A process has a capability inside a user namespace if it is a member of that " +"namespace and it has the capability in its effective capability set. A " +"process can gain capabilities in its effective capability set in various " +"ways. For example, it may execute a set-user-ID program or an executable " +"with associated file capabilities. In addition, a process may gain " +"capabilities via the effect of B<clone>(2), B<unshare>(2), or B<setns>(2), " +"as already described." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"If a process has a capability in a user namespace, then it has that " +"capability in all child (and further removed descendant) namespaces as well." +msgstr "" + +# +#. * The owner of the user namespace in the parent of the +#. * user namespace has all caps. +#. (and likewise associates the effective group ID of the creating process +#. with the namespace). +#. See kernel commit 520d9eabce18edfef76a60b7b839d54facafe1f9 for a fix +#. on this point +#. This includes the case where the process executes a set-user-ID +#. program that confers the effective UID of the creator of the namespace. +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"When a user namespace is created, the kernel records the effective user ID " +"of the creating process as being the \"owner\" of the namespace. A process " +"that resides in the parent of the user namespace and whose effective user ID " +"matches the owner of the namespace has all capabilities in the namespace. " +"By virtue of the previous rule, this means that the process has all " +"capabilities in all further removed descendant user namespaces as well. The " +"B<NS_GET_OWNER_UID> B<ioctl>(2) operation can be used to discover the user " +"ID of the owner of the namespace; see B<ioctl_ns>(2)." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Effect of capabilities within a user namespace" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Having a capability inside a user namespace permits a process to perform " +"operations (that require privilege) only on resources governed by that " +"namespace. In other words, having a capability in a user namespace permits " +"a process to perform privileged operations on resources that are governed by " +"(nonuser) namespaces owned by (associated with) the user namespace (see the " +"next subsection)." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"On the other hand, there are many privileged operations that affect " +"resources that are not associated with any namespace type, for example, " +"changing the system (i.e., calendar) time (governed by B<CAP_SYS_TIME>), " +"loading a kernel module (governed by B<CAP_SYS_MODULE>), and creating a " +"device (governed by B<CAP_MKNOD>). Only a process with privileges in the " +"I<initial> user namespace can perform such operations." +msgstr "" + +#. fs_flags = FS_USERNS_MOUNT in kernel sources +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Holding B<CAP_SYS_ADMIN> within the user namespace that owns a process's " +"mount namespace allows that process to create bind mounts and mount the " +"following types of filesystems:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "I</proc> (since Linux 3.8)" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "I</sys> (since Linux 3.8)" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "I<devpts> (since Linux 3.9)" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "B<tmpfs>(5) (since Linux 3.9)" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "I<ramfs> (since Linux 3.9)" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "I<mqueue> (since Linux 3.9)" +msgstr "" + +#. commit b2197755b2633e164a439682fb05a9b5ea48f706 +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "I<bpf> (since Linux 4.4)" +msgstr "" + +#. commit 92dbc9dedccb9759c7f9f2f0ae6242396376988f +#. commit 4cb2c00c43b3fe88b32f29df4f76da1b92c33224 +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "I<overlayfs> (since Linux 5.11)" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Holding B<CAP_SYS_ADMIN> within the user namespace that owns a process's " +"cgroup namespace allows (since Linux 4.6) that process to the mount the " +"cgroup version 2 filesystem and cgroup version 1 named hierarchies (i.e., " +"cgroup filesystems mounted with the I<\"none,name=\"> option)." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Holding B<CAP_SYS_ADMIN> within the user namespace that owns a process's PID " +"namespace allows (since Linux 3.8) that process to mount I</proc> " +"filesystems." +msgstr "" + +# +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Note, however, that mounting block-based filesystems can be done only by a " +"process that holds B<CAP_SYS_ADMIN> in the initial user namespace." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Interaction of user namespaces and other types of namespaces" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Starting in Linux 3.8, unprivileged processes can create user namespaces, " +"and the other types of namespaces can be created with just the " +"B<CAP_SYS_ADMIN> capability in the caller's user namespace." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"When a nonuser namespace is created, it is owned by the user namespace in " +"which the creating process was a member at the time of the creation of the " +"namespace. Privileged operations on resources governed by the nonuser " +"namespace require that the process has the necessary capabilities in the " +"user namespace that owns the nonuser namespace." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"If B<CLONE_NEWUSER> is specified along with other B<CLONE_NEW*> flags in a " +"single B<clone>(2) or B<unshare>(2) call, the user namespace is guaranteed " +"to be created first, giving the child (B<clone>(2)) or caller " +"(B<unshare>(2)) privileges over the remaining namespaces created by the " +"call. Thus, it is possible for an unprivileged caller to specify this " +"combination of flags." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"When a new namespace (other than a user namespace) is created via " +"B<clone>(2) or B<unshare>(2), the kernel records the user namespace of the " +"creating process as the owner of the new namespace. (This association can't " +"be changed.) When a process in the new namespace subsequently performs " +"privileged operations that operate on global resources isolated by the " +"namespace, the permission checks are performed according to the process's " +"capabilities in the user namespace that the kernel associated with the new " +"namespace. For example, suppose that a process attempts to change the " +"hostname (B<sethostname>(2)), a resource governed by the UTS namespace. In " +"this case, the kernel will determine which user namespace owns the process's " +"UTS namespace, and check whether the process has the required capability " +"(B<CAP_SYS_ADMIN>) in that user namespace." +msgstr "" + +# +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The B<NS_GET_USERNS> B<ioctl>(2) operation can be used to discover the user " +"namespace that owns a nonuser namespace; see B<ioctl_ns>(2)." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "User and group ID mappings: uid_map and gid_map" +msgstr "" + +#. commit 22d917d80e842829d0ca0a561967d728eb1d6303 +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"When a user namespace is created, it starts out without a mapping of user " +"IDs (group IDs) to the parent user namespace. The I</proc/>pidI</uid_map> " +"and I</proc/>pidI</gid_map> files (available since Linux 3.5) expose the " +"mappings for user and group IDs inside the user namespace for the process " +"I<pid>. These files can be read to view the mappings in a user namespace " +"and written to (once) to define the mappings." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The description in the following paragraphs explains the details for " +"I<uid_map>; I<gid_map> is exactly the same, but each instance of \"user ID\" " +"is replaced by \"group ID\"." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The I<uid_map> file exposes the mapping of user IDs from the user namespace " +"of the process I<pid> to the user namespace of the process that opened " +"I<uid_map> (but see a qualification to this point below). In other words, " +"processes that are in different user namespaces will potentially see " +"different values when reading from a particular I<uid_map> file, depending " +"on the user ID mappings for the user namespaces of the reading processes." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Each line in the I<uid_map> file specifies a 1-to-1 mapping of a range of " +"contiguous user IDs between two user namespaces. (When a user namespace is " +"first created, this file is empty.) The specification in each line takes " +"the form of three numbers delimited by white space. The first two numbers " +"specify the starting user ID in each of the two user namespaces. The third " +"number specifies the length of the mapped range. In detail, the fields are " +"interpreted as follows:" +msgstr "" + +#. type: IP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "(1)" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The start of the range of user IDs in the user namespace of the process " +"I<pid>." +msgstr "" + +#. type: IP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "(2)" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The start of the range of user IDs to which the user IDs specified by field " +"one map. How field two is interpreted depends on whether the process that " +"opened I<uid_map> and the process I<pid> are in the same user namespace, as " +"follows:" +msgstr "" + +#. type: IP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "(a)" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"If the two processes are in different user namespaces: field two is the " +"start of a range of user IDs in the user namespace of the process that " +"opened I<uid_map>." +msgstr "" + +#. type: IP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "(b)" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"If the two processes are in the same user namespace: field two is the start " +"of the range of user IDs in the parent user namespace of the process " +"I<pid>. This case enables the opener of I<uid_map> (the common case here is " +"opening I</proc/self/uid_map>) to see the mapping of user IDs into the user " +"namespace of the process that created this user namespace." +msgstr "" + +#. type: IP +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "(3)" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The length of the range of user IDs that is mapped between the two user " +"namespaces." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"System calls that return user IDs (group IDs)\\[em]for example, " +"B<getuid>(2), B<getgid>(2), and the credential fields in the structure " +"returned by B<stat>(2)\\[em]return the user ID (group ID) mapped into the " +"caller's user namespace." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"When a process accesses a file, its user and group IDs are mapped into the " +"initial user namespace for the purpose of permission checking and assigning " +"IDs when creating a file. When a process retrieves file user and group IDs " +"via B<stat>(2), the IDs are mapped in the opposite direction, to produce " +"values relative to the process user and group ID mappings." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The initial user namespace has no parent namespace, but, for consistency, " +"the kernel provides dummy user and group ID mapping files for this " +"namespace. Looking at the I<uid_map> file (I<gid_map> is the same) from a " +"shell in the initial namespace shows:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "" +"$ B<cat /proc/$$/uid_map>\n" +" 0 0 4294967295\n" +msgstr "" + +# +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"This mapping tells us that the range starting at user ID 0 in this namespace " +"maps to a range starting at 0 in the (nonexistent) parent namespace, and the " +"length of the range is the largest 32-bit unsigned integer. This leaves " +"4294967295 (the 32-bit signed -1 value) unmapped. This is deliberate: " +"I<(uid_t)\\~-1> is used in several interfaces (e.g., B<setreuid>(2)) as a " +"way to specify \"no user ID\". Leaving I<(uid_t)\\~-1> unmapped and " +"unusable guarantees that there will be no confusion when using these " +"interfaces." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Defining user and group ID mappings: writing to uid_map and gid_map" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"After the creation of a new user namespace, the I<uid_map> file of I<one> of " +"the processes in the namespace may be written to I<once> to define the " +"mapping of user IDs in the new user namespace. An attempt to write more " +"than once to a I<uid_map> file in a user namespace fails with the error " +"B<EPERM>. Similar rules apply for I<gid_map> files." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The lines written to I<uid_map> (I<gid_map>) must conform to the following " +"validity rules:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The three fields must be valid numbers, and the last field must be greater " +"than 0." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Lines are terminated by newline characters." +msgstr "" + +#. 5*12-byte records could fit in a 64B cache line +#. commit 6397fac4915ab3002dc15aae751455da1a852f25 +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"There is a limit on the number of lines in the file. In Linux 4.14 and " +"earlier, this limit was (arbitrarily) set at 5 lines. Since Linux 4.15, " +"the limit is 340 lines. In addition, the number of bytes written to the " +"file must be less than the system page size, and the write must be performed " +"at the start of the file (i.e., B<lseek>(2) and B<pwrite>(2) can't be used " +"to write to nonzero offsets in the file)." +msgstr "" + +#. commit 0bd14b4fd72afd5df41e9fd59f356740f22fceba +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The range of user IDs (group IDs) specified in each line cannot overlap " +"with the ranges in any other lines. In the initial implementation (Linux " +"3.8), this requirement was satisfied by a simplistic implementation that " +"imposed the further requirement that the values in both field 1 and field 2 " +"of successive lines must be in ascending numerical order, which prevented " +"some otherwise valid maps from being created. Linux 3.9 and later fix this " +"limitation, allowing any valid set of nonoverlapping maps." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "At least one line must be written to the file." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Writes that violate the above rules fail with the error B<EINVAL>." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"In order for a process to write to the I</proc/>pidI</uid_map> (I</proc/" +">pidI</gid_map>) file, all of the following permission requirements must be " +"met:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The writing process must have the B<CAP_SETUID> (B<CAP_SETGID>) capability " +"in the user namespace of the process I<pid>." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The writing process must either be in the user namespace of the process " +"I<pid> or be in the parent user namespace of the process I<pid>." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The mapped user IDs (group IDs) must in turn have a mapping in the parent " +"user namespace." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"If updating I</proc/>pidI</uid_map> to create a mapping that maps UID 0 in " +"the parent namespace, then one of the following must be true:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"if writing process is in the parent user namespace, then it must have the " +"B<CAP_SETFCAP> capability in that user namespace; or" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"if the writing process is in the child user namespace, then the process that " +"created the user namespace must have had the B<CAP_SETFCAP> capability when " +"the namespace was created." +msgstr "" + +#. commit db2e718a47984b9d71ed890eb2ea36ecf150de18 +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"This rule has been in place since Linux 5.12. It eliminates an earlier " +"security bug whereby a UID 0 process that lacks the B<CAP_SETFCAP> " +"capability, which is needed to create a binary with namespaced file " +"capabilities (as described in B<capabilities>(7)), could nevertheless create " +"such a binary, by the following steps:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Create a new user namespace with the identity mapping (i.e., UID 0 in the " +"new user namespace maps to UID 0 in the parent namespace), so that UID 0 in " +"both namespaces is equivalent to the same root user ID." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Since the child process has the B<CAP_SETFCAP> capability, it could create a " +"binary with namespaced file capabilities that would then be effective in the " +"parent user namespace (because the root user IDs are the same in the two " +"namespaces)." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "One of the following two cases applies:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"I<Either> the writing process has the B<CAP_SETUID> (B<CAP_SETGID>) " +"capability in the I<parent> user namespace." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"No further restrictions apply: the process can make mappings to arbitrary " +"user IDs (group IDs) in the parent user namespace." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "I<Or> otherwise all of the following restrictions apply:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The data written to I<uid_map> (I<gid_map>) must consist of a single line " +"that maps the writing process's effective user ID (group ID) in the parent " +"user namespace to a user ID (group ID) in the user namespace." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The writing process must have the same effective user ID as the process that " +"created the user namespace." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"In the case of I<gid_map>, use of the B<setgroups>(2) system call must " +"first be denied by writing \\[dq]I<deny>\\[dq] to the I</proc/>pidI</" +"setgroups> file (see below) before writing to I<gid_map>." +msgstr "" + +# +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "Writes that violate the above rules fail with the error B<EPERM>." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Project ID mappings: projid_map" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Similarly to user and group ID mappings, it is possible to create project ID " +"mappings for a user namespace. (Project IDs are used for disk quotas; see " +"B<setquota>(8) and B<quotactl>(2).)" +msgstr "" + +#. commit f76d207a66c3a53defea67e7d36c3eb1b7d6d61d +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Project ID mappings are defined by writing to the I</proc/>pidI</projid_map> " +"file (present since Linux 3.7)." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The validity rules for writing to the I</proc/>pidI</projid_map> file are as " +"for writing to the I<uid_map> file; violation of these rules causes " +"B<write>(2) to fail with the error B<EINVAL>." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The permission rules for writing to the I</proc/>pidI</projid_map> file are " +"as follows:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The mapped project IDs must in turn have a mapping in the parent user " +"namespace." +msgstr "" + +# +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Violation of these rules causes B<write>(2) to fail with the error B<EPERM>." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Interaction with system calls that change process UIDs or GIDs" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"In a user namespace where the I<uid_map> file has not been written, the " +"system calls that change user IDs will fail. Similarly, if the I<gid_map> " +"file has not been written, the system calls that change group IDs will " +"fail. After the I<uid_map> and I<gid_map> files have been written, only the " +"mapped values may be used in system calls that change user and group IDs." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"For user IDs, the relevant system calls include B<setuid>(2), " +"B<setfsuid>(2), B<setreuid>(2), and B<setresuid>(2). For group IDs, the " +"relevant system calls include B<setgid>(2), B<setfsgid>(2), B<setregid>(2), " +"B<setresgid>(2), and B<setgroups>(2)." +msgstr "" + +# +#. Things changed in Linux 3.19 +#. commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8 +#. commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272 +#. http://lwn.net/Articles/626665/ +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Writing \\[dq]I<deny>\\[dq] to the I</proc/>pidI</setgroups> file before " +"writing to I</proc/>pidI</gid_map> will permanently disable B<setgroups>(2) " +"in a user namespace and allow writing to I</proc/>pidI</gid_map> without " +"having the B<CAP_SETGID> capability in the parent user namespace." +msgstr "" + +#. type: SS +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "The I</proc/>pidI</setgroups> file" +msgstr "" + +# +#. commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8 +#. commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272 +#. http://lwn.net/Articles/626665/ +#. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8989 +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The I</proc/>pidI</setgroups> file displays the string \\[dq]I<allow>\\[dq] " +"if processes in the user namespace that contains the process I<pid> are " +"permitted to employ the B<setgroups>(2) system call; it displays " +"\\[dq]I<deny>\\[dq] if B<setgroups>(2) is not permitted in that user " +"namespace. Note that regardless of the value in the I</proc/>pidI</" +"setgroups> file (and regardless of the process's capabilities), calls to " +"B<setgroups>(2) are also not permitted if I</proc/>pidI</gid_map> has not " +"yet been set." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"A privileged process (one with the B<CAP_SYS_ADMIN> capability in the " +"namespace) may write either of the strings \\[dq]I<allow>\\[dq] or " +"\\[dq]I<deny>\\[dq] to this file I<before> writing a group ID mapping for " +"this user namespace to the file I</proc/>pidI</gid_map>. Writing the string " +"\\[dq]I<deny>\\[dq] prevents any process in the user namespace from " +"employing B<setgroups>(2)." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The essence of the restrictions described in the preceding paragraph is that " +"it is permitted to write to I</proc/>pidI</setgroups> only so long as " +"calling B<setgroups>(2) is disallowed because I</proc/>pidI</gid_map> has " +"not been set. This ensures that a process cannot transition from a state " +"where B<setgroups>(2) is allowed to a state where B<setgroups>(2) is " +"denied; a process can transition only from B<setgroups>(2) being disallowed " +"to B<setgroups>(2) being allowed." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The default value of this file in the initial user namespace is " +"\\[dq]I<allow>\\[dq]." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Once I</proc/>pidI</gid_map> has been written to (which has the effect of " +"enabling B<setgroups>(2) in the user namespace), it is no longer possible " +"to disallow B<setgroups>(2) by writing \\[dq]I<deny>\\[dq] to I</proc/" +">pidI</setgroups> (the write fails with the error B<EPERM>)." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"A child user namespace inherits the I</proc/>pidI</setgroups> setting from " +"its parent." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"If the I<setgroups> file has the value \\[dq]I<deny>\\[dq], then the " +"B<setgroups>(2) system call can't subsequently be reenabled (by writing " +"\\[dq]I<allow>\\[dq] to the file) in this user namespace. (Attempts to do " +"so fail with the error B<EPERM>.) This restriction also propagates down to " +"all child user namespaces of this user namespace." +msgstr "" + +# +# +# +# +#. /proc/PID/setgroups +#. [allow == setgroups() is allowed, "deny" == setgroups() is disallowed] +#. * Can write if have CAP_SYS_ADMIN in NS +#. * Must write BEFORE writing to /proc/PID/gid_map +#. setgroups() +#. * Must already have written to gid_map +#. * /proc/PID/setgroups must be "allow" +#. /proc/PID/gid_map -- writing +#. * Must already have written "deny" to /proc/PID/setgroups +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The I</proc/>pidI</setgroups> file was added in Linux 3.19, but was " +"backported to many earlier stable kernel series, because it addresses a " +"security issue. The issue concerned files with permissions such as \"rwx---" +"rwx\". Such files give fewer permissions to \"group\" than they do to " +"\"other\". This means that dropping groups using B<setgroups>(2) might " +"allow a process file access that it did not formerly have. Before the " +"existence of user namespaces this was not a concern, since only a privileged " +"process (one with the B<CAP_SETGID> capability) could call B<setgroups>(2). " +"However, with the introduction of user namespaces, it became possible for an " +"unprivileged process to create a new namespace in which the user had all " +"privileges. This then allowed formerly unprivileged users to drop groups " +"and thus gain file access that they did not previously have. The I</proc/" +">pidI</setgroups> file was added to address this security issue, by denying " +"any pathway for an unprivileged process to drop groups with B<setgroups>(2)." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Unmapped user and group IDs" +msgstr "" + +#. from_kuid_munged(), from_kgid_munged() +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"There are various places where an unmapped user ID (group ID) may be " +"exposed to user space. For example, the first process in a new user " +"namespace may call B<getuid>(2) before a user ID mapping has been defined " +"for the namespace. In most such cases, an unmapped user ID is converted to " +"the overflow user ID (group ID); the default value for the overflow user ID " +"(group ID) is 65534. See the descriptions of I</proc/sys/kernel/" +"overflowuid> and I</proc/sys/kernel/overflowgid> in B<proc>(5)." +msgstr "" + +#. also SO_PEERCRED +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The cases where unmapped IDs are mapped in this fashion include system calls " +"that return user IDs (B<getuid>(2), B<getgid>(2), and similar), credentials " +"passed over a UNIX domain socket, credentials returned by B<stat>(2), " +"B<waitid>(2), and the System V IPC \"ctl\" B<IPC_STAT> operations, " +"credentials exposed by I</proc/>pidI</status> and the files in I</proc/" +"sysvipc/*>, credentials returned via the I<si_uid> field in the I<siginfo_t> " +"received with a signal (see B<sigaction>(2)), credentials written to the " +"process accounting file (see B<acct>(5)), and credentials returned with " +"POSIX message queue notifications (see B<mq_notify>(3))." +msgstr "" + +# +#. from_kuid(), from_kgid() +#. Also F_GETOWNER_UIDS is an exception +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"There is one notable case where unmapped user and group IDs are I<not> " +"converted to the corresponding overflow ID value. When viewing a I<uid_map> " +"or I<gid_map> file in which there is no mapping for the second field, that " +"field is displayed as 4294967295 (-1 as an unsigned integer)." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Accessing files" +msgstr "" + +# +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"In order to determine permissions when an unprivileged process accesses a " +"file, the process credentials (UID, GID) and the file credentials are in " +"effect mapped back to what they would be in the initial user namespace and " +"then compared to determine the permissions that the process has on the " +"file. The same is also true of other objects that employ the credentials " +"plus permissions mask accessibility model, such as System V IPC objects." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Operation of file-related capabilities" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Certain capabilities allow a process to bypass various kernel-enforced " +"restrictions when performing operations on files owned by other users or " +"groups. These capabilities are: B<CAP_CHOWN>, B<CAP_DAC_OVERRIDE>, " +"B<CAP_DAC_READ_SEARCH>, B<CAP_FOWNER>, and B<CAP_FSETID>." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Within a user namespace, these capabilities allow a process to bypass the " +"rules if the process has the relevant capability over the file, meaning that:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"the process has the relevant effective capability in its user namespace; and" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"the file's user ID and group ID both have valid mappings in the user " +"namespace." +msgstr "" + +# +#. These are the checks performed by the kernel function +#. inode_owner_or_capable(). There is one exception to the exception: +#. overriding the directory sticky permission bit requires that +#. the file has a valid mapping for both its UID and GID. +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The B<CAP_FOWNER> capability is treated somewhat exceptionally: it allows a " +"process to bypass the corresponding rules so long as at least the file's " +"user ID has a mapping in the user namespace (i.e., the file's group ID does " +"not need to have a valid mapping)." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Set-user-ID and set-group-ID programs" +msgstr "" + +# +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"When a process inside a user namespace executes a set-user-ID (set-group-ID) " +"program, the process's effective user (group) ID inside the namespace is " +"changed to whatever value is mapped for the user (group) ID of the file. " +"However, if either the user I<or> the group ID of the file has no mapping " +"inside the namespace, the set-user-ID (set-group-ID) bit is silently " +"ignored: the new program is executed, but the process's effective user " +"(group) ID is left unchanged. (This mirrors the semantics of executing a " +"set-user-ID or set-group-ID program that resides on a filesystem that was " +"mounted with the B<MS_NOSUID> flag, as described in B<mount>(2).)" +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Miscellaneous" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"When a process's user and group IDs are passed over a UNIX domain socket to " +"a process in a different user namespace (see the description of " +"B<SCM_CREDENTIALS> in B<unix>(7)), they are translated into the " +"corresponding values as per the receiving process's user and group ID " +"mappings." +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "STANDARDS" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-leap-15-6 opensuse-tumbleweed +msgid "Linux." +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "NOTES" +msgstr "" + +# +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Over the years, there have been a lot of features that have been added to " +"the Linux kernel that have been made available only to privileged users " +"because of their potential to confuse set-user-ID-root applications. In " +"general, it becomes safe to allow the root user in a user namespace to use " +"those features because it is impossible, while in a user namespace, to gain " +"more privilege than the root user of a user namespace has." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Global root" +msgstr "" + +# +#. ============================================================ +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The term \"global root\" is sometimes used as a shorthand for user ID 0 in " +"the initial user namespace." +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Availability" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Use of user namespaces requires a kernel that is configured with the " +"B<CONFIG_USER_NS> option. User namespaces require support in a range of " +"subsystems across the kernel. When an unsupported subsystem is configured " +"into the kernel, it is not possible to configure user namespaces support." +msgstr "" + +#. commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"As at Linux 3.8, most relevant subsystems supported user namespaces, but a " +"number of filesystems did not have the infrastructure needed to map user and " +"group IDs between user namespaces. Linux 3.9 added the required " +"infrastructure support for many of the remaining unsupported filesystems " +"(Plan 9 (9P), Andrew File System (AFS), Ceph, CIFS, CODA, NFS, and OCFS2). " +"Linux 3.12 added support for the last of the unsupported major filesystems, " +"XFS." +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "EXAMPLES" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The program below is designed to allow experimenting with user namespaces, " +"as well as other types of namespaces. It creates namespaces as specified by " +"command-line options and then executes a command inside those namespaces. " +"The comments and I<usage>() function inside the program provide a full " +"explanation of the program. The following shell session demonstrates its " +"use." +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "First, we look at the run-time environment:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "" +"$ B<uname -rs> # Need Linux 3.8 or later\n" +"Linux 3.8.0\n" +"$ B<id -u> # Running as unprivileged user\n" +"1000\n" +"$ B<id -g>\n" +"1000\n" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Now start a new shell in new user (I<-U>), mount (I<-m>), and PID (I<-p>) " +"namespaces, with user ID (I<-M>) and group ID (I<-G>) 1000 mapped to 0 " +"inside the user namespace:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "$ B<./userns_child_exec -p -m -U -M \\[aq]0 1000 1\\[aq] -G \\[aq]0 1000 1\\[aq] bash>\n" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The shell has PID 1, because it is the first process in the new PID " +"namespace:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "" +"bash$ B<echo $$>\n" +"1\n" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Mounting a new I</proc> filesystem and listing all of the processes visible " +"in the new PID namespace shows that the shell can't see any processes " +"outside the PID namespace:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "" +"bash$ B<mount -t proc proc /proc>\n" +"bash$ B<ps ax>\n" +" PID TTY STAT TIME COMMAND\n" +" 1 pts/3 S 0:00 bash\n" +" 22 pts/3 R+ 0:00 ps ax\n" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"Inside the user namespace, the shell has user and group ID 0, and a full set " +"of permitted and effective capabilities:" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "" +"bash$ B<cat /proc/$$/status | egrep \\[aq]\\[ha][UG]id\\[aq]>\n" +"Uid:\t0\t0\t0\t0\n" +"Gid:\t0\t0\t0\t0\n" +"bash$ B<cat /proc/$$/status | egrep \\[aq]\\[ha]Cap(Prm|Inh|Eff)\\[aq]>\n" +"CapInh:\t0000000000000000\n" +"CapPrm:\t0000001fffffffff\n" +"CapEff:\t0000001fffffffff\n" +msgstr "" + +#. type: SS +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "Program source" +msgstr "" + +#. type: Plain text +#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron +#: opensuse-tumbleweed +#, no-wrap +msgid "" +"/* userns_child_exec.c\n" +"\\&\n" +" Licensed under GNU General Public License v2 or later\n" +"\\&\n" +" Create a child process that executes a shell command in new\n" +" namespace(s); allow UID and GID mappings to be specified when\n" +" creating a user namespace.\n" +"*/\n" +"#define _GNU_SOURCE\n" +"#include E<lt>err.hE<gt>\n" +"#include E<lt>sched.hE<gt>\n" +"#include E<lt>unistd.hE<gt>\n" +"#include E<lt>stdint.hE<gt>\n" +"#include E<lt>stdlib.hE<gt>\n" +"#include E<lt>sys/wait.hE<gt>\n" +"#include E<lt>signal.hE<gt>\n" +"#include E<lt>fcntl.hE<gt>\n" +"#include E<lt>stdio.hE<gt>\n" +"#include E<lt>string.hE<gt>\n" +"#include E<lt>limits.hE<gt>\n" +"#include E<lt>errno.hE<gt>\n" +"\\&\n" +"struct child_args {\n" +" char **argv; /* Command to be executed by child, with args */\n" +" int pipe_fd[2]; /* Pipe used to synchronize parent and child */\n" +"};\n" +"\\&\n" +"static int verbose;\n" +"\\&\n" +"static void\n" +"usage(char *pname)\n" +"{\n" +" fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n" +" fprintf(stderr, \"Create a child process that executes a shell \"\n" +" \"command in a new user namespace,\\en\"\n" +" \"and possibly also other new namespace(s).\\en\\en\");\n" +" fprintf(stderr, \"Options can be:\\en\\en\");\n" +"#define fpe(str) fprintf(stderr, \" %s\", str);\n" +" fpe(\"-i New IPC namespace\\en\");\n" +" fpe(\"-m New mount namespace\\en\");\n" +" fpe(\"-n New network namespace\\en\");\n" +" fpe(\"-p New PID namespace\\en\");\n" +" fpe(\"-u New UTS namespace\\en\");\n" +" fpe(\"-U New user namespace\\en\");\n" +" fpe(\"-M uid_map Specify UID map for user namespace\\en\");\n" +" fpe(\"-G gid_map Specify GID map for user namespace\\en\");\n" +" fpe(\"-z Map user\\[aq]s UID and GID to 0 in user namespace\\en\");\n" +" fpe(\" (equivalent to: -M \\[aq]0 E<lt>uidE<gt> 1\\[aq] -G \\[aq]0 E<lt>gidE<gt> 1\\[aq])\\en\");\n" +" fpe(\"-v Display verbose messages\\en\");\n" +" fpe(\"\\en\");\n" +" fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n" +" fpe(\"It is not permitted to specify both -z and either -M or -G.\\en\");\n" +" fpe(\"\\en\");\n" +" fpe(\"Map strings for -M and -G consist of records of the form:\\en\");\n" +" fpe(\"\\en\");\n" +" fpe(\" ID-inside-ns ID-outside-ns len\\en\");\n" +" fpe(\"\\en\");\n" +" fpe(\"A map string can contain multiple records, separated\"\n" +" \" by commas;\\en\");\n" +" fpe(\"the commas are replaced by newlines before writing\"\n" +" \" to map files.\\en\");\n" +"\\&\n" +" exit(EXIT_FAILURE);\n" +"}\n" +"\\&\n" +"/* Update the mapping file \\[aq]map_file\\[aq], with the value provided in\n" +" \\[aq]mapping\\[aq], a string that defines a UID or GID mapping. A UID or\n" +" GID mapping consists of one or more newline-delimited records\n" +" of the form:\n" +"\\&\n" +" ID_inside-ns ID-outside-ns length\n" +"\\&\n" +" Requiring the user to supply a string that contains newlines is\n" +" of course inconvenient for command-line use. Thus, we permit the\n" +" use of commas to delimit records in this string, and replace them\n" +" with newlines before writing the string to the file. */\n" +"\\&\n" +"static void\n" +"update_map(char *mapping, char *map_file)\n" +"{\n" +" int fd;\n" +" size_t map_len; /* Length of \\[aq]mapping\\[aq] */\n" +"\\&\n" +" /* Replace commas in mapping string with newlines. */\n" +"\\&\n" +" map_len = strlen(mapping);\n" +" for (size_t j = 0; j E<lt> map_len; j++)\n" +" if (mapping[j] == \\[aq],\\[aq])\n" +" mapping[j] = \\[aq]\\en\\[aq];\n" +"\\&\n" +" fd = open(map_file, O_RDWR);\n" +" if (fd == -1) {\n" +" fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n" +" strerror(errno));\n" +" exit(EXIT_FAILURE);\n" +" }\n" +"\\&\n" +" if (write(fd, mapping, map_len) != map_len) {\n" +" fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n" +" strerror(errno));\n" +" exit(EXIT_FAILURE);\n" +" }\n" +"\\&\n" +" close(fd);\n" +"}\n" +"\\&\n" +"/* Linux 3.19 made a change in the handling of setgroups(2) and\n" +" the \\[aq]gid_map\\[aq] file to address a security issue. The issue\n" +" allowed *unprivileged* users to employ user namespaces in\n" +" order to drop groups. The upshot of the 3.19 changes is that\n" +" in order to update the \\[aq]gid_maps\\[aq] file, use of the setgroups()\n" +" system call in this user namespace must first be disabled by\n" +" writing \"deny\" to one of the /proc/PID/setgroups files for\n" +" this namespace. That is the purpose of the following function. */\n" +"\\&\n" +"static void\n" +"proc_setgroups_write(pid_t child_pid, char *str)\n" +"{\n" +" char setgroups_path[PATH_MAX];\n" +" int fd;\n" +"\\&\n" +" snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n" +" (intmax_t) child_pid);\n" +"\\&\n" +" fd = open(setgroups_path, O_RDWR);\n" +" if (fd == -1) {\n" +"\\&\n" +" /* We may be on a system that doesn\\[aq]t support\n" +" /proc/PID/setgroups. In that case, the file won\\[aq]t exist,\n" +" and the system won\\[aq]t impose the restrictions that Linux 3.19\n" +" added. That\\[aq]s fine: we don\\[aq]t need to do anything in order\n" +" to permit \\[aq]gid_map\\[aq] to be updated.\n" +"\\&\n" +" However, if the error from open() was something other than\n" +" the ENOENT error that is expected for that case, let the\n" +" user know. */\n" +"\\&\n" +" if (errno != ENOENT)\n" +" fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n" +" strerror(errno));\n" +" return;\n" +" }\n" +"\\&\n" +" if (write(fd, str, strlen(str)) == -1)\n" +" fprintf(stderr, \"ERROR: write %s: %s\\en\", setgroups_path,\n" +" strerror(errno));\n" +"\\&\n" +" close(fd);\n" +"}\n" +"\\&\n" +"static int /* Start function for cloned child */\n" +"childFunc(void *arg)\n" +"{\n" +" struct child_args *args = arg;\n" +" char ch;\n" +"\\&\n" +" /* Wait until the parent has updated the UID and GID mappings.\n" +" See the comment in main(). We wait for end of file on a\n" +" pipe that will be closed by the parent process once it has\n" +" updated the mappings. */\n" +"\\&\n" +" close(args-E<gt>pipe_fd[1]); /* Close our descriptor for the write\n" +" end of the pipe so that we see EOF\n" +" when parent closes its descriptor. */\n" +" if (read(args-E<gt>pipe_fd[0], &ch, 1) != 0) {\n" +" fprintf(stderr,\n" +" \"Failure in child: read from pipe returned != 0\\en\");\n" +" exit(EXIT_FAILURE);\n" +" }\n" +"\\&\n" +" close(args-E<gt>pipe_fd[0]);\n" +"\\&\n" +" /* Execute a shell command. */\n" +"\\&\n" +" printf(\"About to exec %s\\en\", args-E<gt>argv[0]);\n" +" execvp(args-E<gt>argv[0], args-E<gt>argv);\n" +" err(EXIT_FAILURE, \"execvp\");\n" +"}\n" +"\\&\n" +"#define STACK_SIZE (1024 * 1024)\n" +"\\&\n" +"static char child_stack[STACK_SIZE]; /* Space for child\\[aq]s stack */\n" +"\\&\n" +"int\n" +"main(int argc, char *argv[])\n" +"{\n" +" int flags, opt, map_zero;\n" +" pid_t child_pid;\n" +" struct child_args args;\n" +" char *uid_map, *gid_map;\n" +" const int MAP_BUF_SIZE = 100;\n" +" char map_buf[MAP_BUF_SIZE];\n" +" char map_path[PATH_MAX];\n" +"\\&\n" +" /* Parse command-line options. The initial \\[aq]+\\[aq] character in\n" +" the final getopt() argument prevents GNU-style permutation\n" +" of command-line options. That\\[aq]s useful, since sometimes\n" +" the \\[aq]command\\[aq] to be executed by this program itself\n" +" has command-line options. We don\\[aq]t want getopt() to treat\n" +" those as options to this program. */\n" +"\\&\n" +" flags = 0;\n" +" verbose = 0;\n" +" gid_map = NULL;\n" +" uid_map = NULL;\n" +" map_zero = 0;\n" +" while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n" +" switch (opt) {\n" +" case \\[aq]i\\[aq]: flags |= CLONE_NEWIPC; break;\n" +" case \\[aq]m\\[aq]: flags |= CLONE_NEWNS; break;\n" +" case \\[aq]n\\[aq]: flags |= CLONE_NEWNET; break;\n" +" case \\[aq]p\\[aq]: flags |= CLONE_NEWPID; break;\n" +" case \\[aq]u\\[aq]: flags |= CLONE_NEWUTS; break;\n" +" case \\[aq]v\\[aq]: verbose = 1; break;\n" +" case \\[aq]z\\[aq]: map_zero = 1; break;\n" +" case \\[aq]M\\[aq]: uid_map = optarg; break;\n" +" case \\[aq]G\\[aq]: gid_map = optarg; break;\n" +" case \\[aq]U\\[aq]: flags |= CLONE_NEWUSER; break;\n" +" default: usage(argv[0]);\n" +" }\n" +" }\n" +"\\&\n" +" /* -M or -G without -U is nonsensical */\n" +"\\&\n" +" if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n" +" !(flags & CLONE_NEWUSER)) ||\n" +" (map_zero && (uid_map != NULL || gid_map != NULL)))\n" +" usage(argv[0]);\n" +"\\&\n" +" args.argv = &argv[optind];\n" +"\\&\n" +" /* We use a pipe to synchronize the parent and child, in order to\n" +" ensure that the parent sets the UID and GID maps before the child\n" +" calls execve(). This ensures that the child maintains its\n" +" capabilities during the execve() in the common case where we\n" +" want to map the child\\[aq]s effective user ID to 0 in the new user\n" +" namespace. Without this synchronization, the child would lose\n" +" its capabilities if it performed an execve() with nonzero\n" +" user IDs (see the capabilities(7) man page for details of the\n" +" transformation of a process\\[aq]s capabilities during execve()). */\n" +"\\&\n" +" if (pipe(args.pipe_fd) == -1)\n" +" err(EXIT_FAILURE, \"pipe\");\n" +"\\&\n" +" /* Create the child in new namespace(s). */\n" +"\\&\n" +" child_pid = clone(childFunc, child_stack + STACK_SIZE,\n" +" flags | SIGCHLD, &args);\n" +" if (child_pid == -1)\n" +" err(EXIT_FAILURE, \"clone\");\n" +"\\&\n" +" /* Parent falls through to here. */\n" +"\\&\n" +" if (verbose)\n" +" printf(\"%s: PID of child created by clone() is %jd\\en\",\n" +" argv[0], (intmax_t) child_pid);\n" +"\\&\n" +" /* Update the UID and GID maps in the child. */\n" +"\\&\n" +" if (uid_map != NULL || map_zero) {\n" +" snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n" +" (intmax_t) child_pid);\n" +" if (map_zero) {\n" +" snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n" +" (intmax_t) getuid());\n" +" uid_map = map_buf;\n" +" }\n" +" update_map(uid_map, map_path);\n" +" }\n" +"\\&\n" +" if (gid_map != NULL || map_zero) {\n" +" proc_setgroups_write(child_pid, \"deny\");\n" +"\\&\n" +" snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n" +" (intmax_t) child_pid);\n" +" if (map_zero) {\n" +" snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n" +" (intmax_t) getgid());\n" +" gid_map = map_buf;\n" +" }\n" +" update_map(gid_map, map_path);\n" +" }\n" +"\\&\n" +" /* Close the write end of the pipe, to signal to the child that we\n" +" have updated the UID and GID maps. */\n" +"\\&\n" +" close(args.pipe_fd[1]);\n" +"\\&\n" +" if (waitpid(child_pid, NULL, 0) == -1) /* Wait for child */\n" +" err(EXIT_FAILURE, \"waitpid\");\n" +"\\&\n" +" if (verbose)\n" +" printf(\"%s: terminating\\en\", argv[0]);\n" +"\\&\n" +" exit(EXIT_SUCCESS);\n" +"}\n" +msgstr "" + +#. type: SH +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +#, no-wrap +msgid "SEE ALSO" +msgstr "" + +#. From the shadow package +#. From the shadow package +#. From the shadow package +#. From the shadow package +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"B<newgidmap>(1), B<newuidmap>(1), B<clone>(2), B<ptrace>(2), B<setns>(2), " +"B<unshare>(2), B<proc>(5), B<subgid>(5), B<subuid>(5), B<capabilities>(7), " +"B<cgroup_namespaces>(7), B<credentials>(7), B<namespaces>(7), " +"B<pid_namespaces>(7)" +msgstr "" + +#. type: Plain text +#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide +#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed +msgid "" +"The kernel source file I<Documentation/admin-guide/namespaces/resource-" +"control.rst>." +msgstr "" + +#. type: TH +#: debian-bookworm +#, no-wrap +msgid "2023-02-05" +msgstr "" + +#. type: TH +#: debian-bookworm +#, no-wrap +msgid "Linux man-pages 6.03" +msgstr "" + +#. type: SS +#: debian-bookworm +#, no-wrap +msgid "The /proc/I<pid>/setgroups file" +msgstr "" + +#. type: Plain text +#: debian-bookworm +msgid "Namespaces are a Linux-specific feature." +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "/* userns_child_exec.c\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid " Licensed under GNU General Public License v2 or later\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" Create a child process that executes a shell command in new\n" +" namespace(s); allow UID and GID mappings to be specified when\n" +" creating a user namespace.\n" +"*/\n" +"#define _GNU_SOURCE\n" +"#include E<lt>err.hE<gt>\n" +"#include E<lt>sched.hE<gt>\n" +"#include E<lt>unistd.hE<gt>\n" +"#include E<lt>stdint.hE<gt>\n" +"#include E<lt>stdlib.hE<gt>\n" +"#include E<lt>sys/wait.hE<gt>\n" +"#include E<lt>signal.hE<gt>\n" +"#include E<lt>fcntl.hE<gt>\n" +"#include E<lt>stdio.hE<gt>\n" +"#include E<lt>string.hE<gt>\n" +"#include E<lt>limits.hE<gt>\n" +"#include E<lt>errno.hE<gt>\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +"struct child_args {\n" +" char **argv; /* Command to be executed by child, with args */\n" +" int pipe_fd[2]; /* Pipe used to synchronize parent and child */\n" +"};\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "static int verbose;\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +"static void\n" +"usage(char *pname)\n" +"{\n" +" fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n" +" fprintf(stderr, \"Create a child process that executes a shell \"\n" +" \"command in a new user namespace,\\en\"\n" +" \"and possibly also other new namespace(s).\\en\\en\");\n" +" fprintf(stderr, \"Options can be:\\en\\en\");\n" +"#define fpe(str) fprintf(stderr, \" %s\", str);\n" +" fpe(\"-i New IPC namespace\\en\");\n" +" fpe(\"-m New mount namespace\\en\");\n" +" fpe(\"-n New network namespace\\en\");\n" +" fpe(\"-p New PID namespace\\en\");\n" +" fpe(\"-u New UTS namespace\\en\");\n" +" fpe(\"-U New user namespace\\en\");\n" +" fpe(\"-M uid_map Specify UID map for user namespace\\en\");\n" +" fpe(\"-G gid_map Specify GID map for user namespace\\en\");\n" +" fpe(\"-z Map user\\[aq]s UID and GID to 0 in user namespace\\en\");\n" +" fpe(\" (equivalent to: -M \\[aq]0 E<lt>uidE<gt> 1\\[aq] -G \\[aq]0 E<lt>gidE<gt> 1\\[aq])\\en\");\n" +" fpe(\"-v Display verbose messages\\en\");\n" +" fpe(\"\\en\");\n" +" fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n" +" fpe(\"It is not permitted to specify both -z and either -M or -G.\\en\");\n" +" fpe(\"\\en\");\n" +" fpe(\"Map strings for -M and -G consist of records of the form:\\en\");\n" +" fpe(\"\\en\");\n" +" fpe(\" ID-inside-ns ID-outside-ns len\\en\");\n" +" fpe(\"\\en\");\n" +" fpe(\"A map string can contain multiple records, separated\"\n" +" \" by commas;\\en\");\n" +" fpe(\"the commas are replaced by newlines before writing\"\n" +" \" to map files.\\en\");\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" exit(EXIT_FAILURE);\n" +"}\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +"/* Update the mapping file \\[aq]map_file\\[aq], with the value provided in\n" +" \\[aq]mapping\\[aq], a string that defines a UID or GID mapping. A UID or\n" +" GID mapping consists of one or more newline-delimited records\n" +" of the form:\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid " ID_inside-ns ID-outside-ns length\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" Requiring the user to supply a string that contains newlines is\n" +" of course inconvenient for command-line use. Thus, we permit the\n" +" use of commas to delimit records in this string, and replace them\n" +" with newlines before writing the string to the file. */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +"static void\n" +"update_map(char *mapping, char *map_file)\n" +"{\n" +" int fd;\n" +" size_t map_len; /* Length of \\[aq]mapping\\[aq] */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid " /* Replace commas in mapping string with newlines. */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" map_len = strlen(mapping);\n" +" for (size_t j = 0; j E<lt> map_len; j++)\n" +" if (mapping[j] == \\[aq],\\[aq])\n" +" mapping[j] = \\[aq]\\en\\[aq];\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" fd = open(map_file, O_RDWR);\n" +" if (fd == -1) {\n" +" fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n" +" strerror(errno));\n" +" exit(EXIT_FAILURE);\n" +" }\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" if (write(fd, mapping, map_len) != map_len) {\n" +" fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n" +" strerror(errno));\n" +" exit(EXIT_FAILURE);\n" +" }\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" close(fd);\n" +"}\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +"/* Linux 3.19 made a change in the handling of setgroups(2) and the\n" +" \\[aq]gid_map\\[aq] file to address a security issue. The issue allowed\n" +" *unprivileged* users to employ user namespaces in order to drop groups.\n" +" The upshot of the 3.19 changes is that in order to update the\n" +" \\[aq]gid_maps\\[aq] file, use of the setgroups() system call in this\n" +" user namespace must first be disabled by writing \"deny\" to one of\n" +" the /proc/PID/setgroups files for this namespace. That is the\n" +" purpose of the following function. */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +"static void\n" +"proc_setgroups_write(pid_t child_pid, char *str)\n" +"{\n" +" char setgroups_path[PATH_MAX];\n" +" int fd;\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n" +" (intmax_t) child_pid);\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" fd = open(setgroups_path, O_RDWR);\n" +" if (fd == -1) {\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" /* We may be on a system that doesn\\[aq]t support\n" +" /proc/PID/setgroups. In that case, the file won\\[aq]t exist,\n" +" and the system won\\[aq]t impose the restrictions that Linux 3.19\n" +" added. That\\[aq]s fine: we don\\[aq]t need to do anything in order\n" +" to permit \\[aq]gid_map\\[aq] to be updated.\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" However, if the error from open() was something other than\n" +" the ENOENT error that is expected for that case, let the\n" +" user know. */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" if (errno != ENOENT)\n" +" fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n" +" strerror(errno));\n" +" return;\n" +" }\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" if (write(fd, str, strlen(str)) == -1)\n" +" fprintf(stderr, \"ERROR: write %s: %s\\en\", setgroups_path,\n" +" strerror(errno));\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +"static int /* Start function for cloned child */\n" +"childFunc(void *arg)\n" +"{\n" +" struct child_args *args = arg;\n" +" char ch;\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" /* Wait until the parent has updated the UID and GID mappings.\n" +" See the comment in main(). We wait for end of file on a\n" +" pipe that will be closed by the parent process once it has\n" +" updated the mappings. */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" close(args-E<gt>pipe_fd[1]); /* Close our descriptor for the write\n" +" end of the pipe so that we see EOF\n" +" when parent closes its descriptor. */\n" +" if (read(args-E<gt>pipe_fd[0], &ch, 1) != 0) {\n" +" fprintf(stderr,\n" +" \"Failure in child: read from pipe returned != 0\\en\");\n" +" exit(EXIT_FAILURE);\n" +" }\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid " close(args-E<gt>pipe_fd[0]);\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid " /* Execute a shell command. */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" printf(\"About to exec %s\\en\", args-E<gt>argv[0]);\n" +" execvp(args-E<gt>argv[0], args-E<gt>argv);\n" +" err(EXIT_FAILURE, \"execvp\");\n" +"}\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "#define STACK_SIZE (1024 * 1024)\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "static char child_stack[STACK_SIZE]; /* Space for child\\[aq]s stack */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +"int\n" +"main(int argc, char *argv[])\n" +"{\n" +" int flags, opt, map_zero;\n" +" pid_t child_pid;\n" +" struct child_args args;\n" +" char *uid_map, *gid_map;\n" +" const int MAP_BUF_SIZE = 100;\n" +" char map_buf[MAP_BUF_SIZE];\n" +" char map_path[PATH_MAX];\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" /* Parse command-line options. The initial \\[aq]+\\[aq] character in\n" +" the final getopt() argument prevents GNU-style permutation\n" +" of command-line options. That\\[aq]s useful, since sometimes\n" +" the \\[aq]command\\[aq] to be executed by this program itself\n" +" has command-line options. We don\\[aq]t want getopt() to treat\n" +" those as options to this program. */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" flags = 0;\n" +" verbose = 0;\n" +" gid_map = NULL;\n" +" uid_map = NULL;\n" +" map_zero = 0;\n" +" while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n" +" switch (opt) {\n" +" case \\[aq]i\\[aq]: flags |= CLONE_NEWIPC; break;\n" +" case \\[aq]m\\[aq]: flags |= CLONE_NEWNS; break;\n" +" case \\[aq]n\\[aq]: flags |= CLONE_NEWNET; break;\n" +" case \\[aq]p\\[aq]: flags |= CLONE_NEWPID; break;\n" +" case \\[aq]u\\[aq]: flags |= CLONE_NEWUTS; break;\n" +" case \\[aq]v\\[aq]: verbose = 1; break;\n" +" case \\[aq]z\\[aq]: map_zero = 1; break;\n" +" case \\[aq]M\\[aq]: uid_map = optarg; break;\n" +" case \\[aq]G\\[aq]: gid_map = optarg; break;\n" +" case \\[aq]U\\[aq]: flags |= CLONE_NEWUSER; break;\n" +" default: usage(argv[0]);\n" +" }\n" +" }\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid " /* -M or -G without -U is nonsensical */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n" +" !(flags & CLONE_NEWUSER)) ||\n" +" (map_zero && (uid_map != NULL || gid_map != NULL)))\n" +" usage(argv[0]);\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid " args.argv = &argv[optind];\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" /* We use a pipe to synchronize the parent and child, in order to\n" +" ensure that the parent sets the UID and GID maps before the child\n" +" calls execve(). This ensures that the child maintains its\n" +" capabilities during the execve() in the common case where we\n" +" want to map the child\\[aq]s effective user ID to 0 in the new user\n" +" namespace. Without this synchronization, the child would lose\n" +" its capabilities if it performed an execve() with nonzero\n" +" user IDs (see the capabilities(7) man page for details of the\n" +" transformation of a process\\[aq]s capabilities during execve()). */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" if (pipe(args.pipe_fd) == -1)\n" +" err(EXIT_FAILURE, \"pipe\");\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid " /* Create the child in new namespace(s). */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" child_pid = clone(childFunc, child_stack + STACK_SIZE,\n" +" flags | SIGCHLD, &args);\n" +" if (child_pid == -1)\n" +" err(EXIT_FAILURE, \"clone\");\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid " /* Parent falls through to here. */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" if (verbose)\n" +" printf(\"%s: PID of child created by clone() is %jd\\en\",\n" +" argv[0], (intmax_t) child_pid);\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid " /* Update the UID and GID maps in the child. */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" if (uid_map != NULL || map_zero) {\n" +" snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n" +" (intmax_t) child_pid);\n" +" if (map_zero) {\n" +" snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n" +" (intmax_t) getuid());\n" +" uid_map = map_buf;\n" +" }\n" +" update_map(uid_map, map_path);\n" +" }\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" if (gid_map != NULL || map_zero) {\n" +" proc_setgroups_write(child_pid, \"deny\");\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n" +" (intmax_t) child_pid);\n" +" if (map_zero) {\n" +" snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n" +" (intmax_t) getgid());\n" +" gid_map = map_buf;\n" +" }\n" +" update_map(gid_map, map_path);\n" +" }\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" /* Close the write end of the pipe, to signal to the child that we\n" +" have updated the UID and GID maps. */\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid " close(args.pipe_fd[1]);\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" if (waitpid(child_pid, NULL, 0) == -1) /* Wait for child */\n" +" err(EXIT_FAILURE, \"waitpid\");\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" if (verbose)\n" +" printf(\"%s: terminating\\en\", argv[0]);\n" +msgstr "" + +#. type: Plain text +#: debian-bookworm opensuse-leap-15-6 +#, no-wrap +msgid "" +" exit(EXIT_SUCCESS);\n" +"}\n" +msgstr "" + +#. type: TH +#: debian-unstable opensuse-tumbleweed +#, no-wrap +msgid "2023-05-03" +msgstr "" + +#. type: TH +#: debian-unstable opensuse-tumbleweed +#, no-wrap +msgid "Linux man-pages 6.05.01" +msgstr "" + +#. type: TH +#: opensuse-leap-15-6 +#, no-wrap +msgid "2023-04-01" +msgstr "" + +#. type: TH +#: opensuse-leap-15-6 +#, no-wrap +msgid "Linux man-pages 6.04" +msgstr "" |