summaryrefslogtreecommitdiffstats
path: root/templates/man7/user_namespaces.7.pot
diff options
context:
space:
mode:
Diffstat (limited to 'templates/man7/user_namespaces.7.pot')
-rw-r--r--templates/man7/user_namespaces.7.pot2415
1 files changed, 2415 insertions, 0 deletions
diff --git a/templates/man7/user_namespaces.7.pot b/templates/man7/user_namespaces.7.pot
new file mode 100644
index 00000000..456b4378
--- /dev/null
+++ b/templates/man7/user_namespaces.7.pot
@@ -0,0 +1,2415 @@
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2024-03-01 17:13+0100\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "user_namespaces"
+msgstr ""
+
+#. type: TH
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "2023-10-31"
+msgstr ""
+
+#. type: TH
+#: archlinux fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "Linux man-pages 6.06"
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "user_namespaces - overview of Linux user namespaces"
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "For an overview of namespaces, see B<namespaces>(7)."
+msgstr ""
+
+#
+#. FIXME: This page says very little about the interaction
+#. of user namespaces and keys. Add something on this topic.
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"User namespaces isolate security-related identifiers and attributes, in "
+"particular, user IDs and group IDs (see B<credentials>(7)), the root "
+"directory, keys (see B<keyrings>(7)), and capabilities (see "
+"B<capabilities>(7)). A process's user and group IDs can be different inside "
+"and outside a user namespace. In particular, a process can have a normal "
+"unprivileged user ID outside a user namespace while at the same time having "
+"a user ID of 0 inside the namespace; in other words, the process has full "
+"privileges for operations inside the user namespace, but is unprivileged for "
+"operations outside the namespace."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Nested namespaces, namespace membership"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"User namespaces can be nested; that is, each user namespace\\[em]except the "
+"initial (\"root\") namespace\\[em]has a parent user namespace, and can have "
+"zero or more child user namespaces. The parent user namespace is the user "
+"namespace of the process that creates the user namespace via a call to "
+"B<unshare>(2) or B<clone>(2) with the B<CLONE_NEWUSER> flag."
+msgstr ""
+
+#. commit 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
+#. FIXME Explain the rationale for this limit. (What is the rationale?)
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The kernel imposes (since Linux 3.11) a limit of 32 nested levels of user "
+"namespaces. Calls to B<unshare>(2) or B<clone>(2) that would cause this "
+"limit to be exceeded fail with the error B<EUSERS>."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Each process is a member of exactly one user namespace. A process created "
+"via B<fork>(2) or B<clone>(2) without the B<CLONE_NEWUSER> flag is a "
+"member of the same user namespace as its parent. A single-threaded process "
+"can join another user namespace with B<setns>(2) if it has the "
+"B<CAP_SYS_ADMIN> in that namespace; upon doing so, it gains a full set of "
+"capabilities in that namespace."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"A call to B<clone>(2) or B<unshare>(2) with the B<CLONE_NEWUSER> flag "
+"makes the new child process (for B<clone>(2)) or the caller (for "
+"B<unshare>(2)) a member of the new user namespace created by the call."
+msgstr ""
+
+# #-#-#-#-# debian-bookworm: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-#
+#
+#. #-#-#-#-# archlinux: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-#
+#. type: Plain text
+#. #-#-#-#-# debian-bookworm: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-#
+#. ============================================================
+#. type: Plain text
+#. #-#-#-#-# debian-unstable: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-#
+#. type: Plain text
+#. #-#-#-#-# fedora-40: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-#
+#. type: Plain text
+#. #-#-#-#-# fedora-rawhide: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-#
+#. type: Plain text
+#. #-#-#-#-# mageia-cauldron: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-#
+#. type: Plain text
+#. #-#-#-#-# opensuse-leap-15-6: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-#
+#. type: Plain text
+#. #-#-#-#-# opensuse-tumbleweed: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-#
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The B<NS_GET_PARENT> B<ioctl>(2) operation can be used to discover the "
+"parental relationship between user namespaces; see B<ioctl_ns>(2)."
+msgstr ""
+
+#
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+#: opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"A task that changes one of its effective IDs will have its dumpability reset "
+"to the value in I</proc/sys/fs/suid_dumpable>. This may affect the "
+"ownership of proc files of child processes and may thus cause the parent to "
+"lack the permissions to write to mapping files of child processes running in "
+"a new user namespace. In such cases making the parent process dumpable, "
+"using B<PR_SET_DUMPABLE> in a call to B<prctl>(2), before creating a child "
+"process in a new user namespace may rectify this problem. See B<prctl>(2) "
+"and B<proc>(5) for details on how ownership is affected."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Capabilities"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The child process created by B<clone>(2) with the B<CLONE_NEWUSER> flag "
+"starts out with a complete set of capabilities in the new user namespace. "
+"Likewise, a process that creates a new user namespace using B<unshare>(2) "
+"or joins an existing user namespace using B<setns>(2) gains a full set of "
+"capabilities in that namespace. On the other hand, that process has no "
+"capabilities in the parent (in the case of B<clone>(2)) or previous (in the "
+"case of B<unshare>(2) and B<setns>(2)) user namespace, even if the new "
+"namespace is created or joined by the root user (i.e., a process with user "
+"ID 0 in the root namespace)."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Note that a call to B<execve>(2) will cause a process's capabilities to be "
+"recalculated in the usual way (see B<capabilities>(7)). Consequently, "
+"unless the process has a user ID of 0 within the namespace, or the "
+"executable file has a nonempty inheritable capabilities mask, the process "
+"will lose all capabilities. See the discussion of user and group ID "
+"mappings, below."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"A call to B<clone>(2) or B<unshare>(2) using the B<CLONE_NEWUSER> flag or "
+"a call to B<setns>(2) that moves the caller into another user namespace "
+"sets the \"securebits\" flags (see B<capabilities>(7)) to their default "
+"values (all flags disabled) in the child (for B<clone>(2)) or caller (for "
+"B<unshare>(2) or B<setns>(2)). Note that because the caller no longer has "
+"capabilities in its original user namespace after a call to B<setns>(2), it "
+"is not possible for a process to reset its \"securebits\" flags while "
+"retaining its user namespace membership by using a pair of B<setns>(2) "
+"calls to move to another user namespace and then return to its original user "
+"namespace."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The rules for determining whether or not a process has a capability in a "
+"particular user namespace are as follows:"
+msgstr ""
+
+#. type: IP
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "\\[bu]"
+msgstr ""
+
+#. In the 3.8 sources, see security/commoncap.c::cap_capable():
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"A process has a capability inside a user namespace if it is a member of that "
+"namespace and it has the capability in its effective capability set. A "
+"process can gain capabilities in its effective capability set in various "
+"ways. For example, it may execute a set-user-ID program or an executable "
+"with associated file capabilities. In addition, a process may gain "
+"capabilities via the effect of B<clone>(2), B<unshare>(2), or B<setns>(2), "
+"as already described."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"If a process has a capability in a user namespace, then it has that "
+"capability in all child (and further removed descendant) namespaces as well."
+msgstr ""
+
+#
+#. * The owner of the user namespace in the parent of the
+#. * user namespace has all caps.
+#. (and likewise associates the effective group ID of the creating process
+#. with the namespace).
+#. See kernel commit 520d9eabce18edfef76a60b7b839d54facafe1f9 for a fix
+#. on this point
+#. This includes the case where the process executes a set-user-ID
+#. program that confers the effective UID of the creator of the namespace.
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When a user namespace is created, the kernel records the effective user ID "
+"of the creating process as being the \"owner\" of the namespace. A process "
+"that resides in the parent of the user namespace and whose effective user ID "
+"matches the owner of the namespace has all capabilities in the namespace. "
+"By virtue of the previous rule, this means that the process has all "
+"capabilities in all further removed descendant user namespaces as well. The "
+"B<NS_GET_OWNER_UID> B<ioctl>(2) operation can be used to discover the user "
+"ID of the owner of the namespace; see B<ioctl_ns>(2)."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Effect of capabilities within a user namespace"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Having a capability inside a user namespace permits a process to perform "
+"operations (that require privilege) only on resources governed by that "
+"namespace. In other words, having a capability in a user namespace permits "
+"a process to perform privileged operations on resources that are governed by "
+"(nonuser) namespaces owned by (associated with) the user namespace (see the "
+"next subsection)."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"On the other hand, there are many privileged operations that affect "
+"resources that are not associated with any namespace type, for example, "
+"changing the system (i.e., calendar) time (governed by B<CAP_SYS_TIME>), "
+"loading a kernel module (governed by B<CAP_SYS_MODULE>), and creating a "
+"device (governed by B<CAP_MKNOD>). Only a process with privileges in the "
+"I<initial> user namespace can perform such operations."
+msgstr ""
+
+#. fs_flags = FS_USERNS_MOUNT in kernel sources
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Holding B<CAP_SYS_ADMIN> within the user namespace that owns a process's "
+"mount namespace allows that process to create bind mounts and mount the "
+"following types of filesystems:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "I</proc> (since Linux 3.8)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "I</sys> (since Linux 3.8)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "I<devpts> (since Linux 3.9)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<tmpfs>(5) (since Linux 3.9)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "I<ramfs> (since Linux 3.9)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "I<mqueue> (since Linux 3.9)"
+msgstr ""
+
+#. commit b2197755b2633e164a439682fb05a9b5ea48f706
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "I<bpf> (since Linux 4.4)"
+msgstr ""
+
+#. commit 92dbc9dedccb9759c7f9f2f0ae6242396376988f
+#. commit 4cb2c00c43b3fe88b32f29df4f76da1b92c33224
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "I<overlayfs> (since Linux 5.11)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Holding B<CAP_SYS_ADMIN> within the user namespace that owns a process's "
+"cgroup namespace allows (since Linux 4.6) that process to the mount the "
+"cgroup version 2 filesystem and cgroup version 1 named hierarchies (i.e., "
+"cgroup filesystems mounted with the I<\"none,name=\"> option)."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Holding B<CAP_SYS_ADMIN> within the user namespace that owns a process's PID "
+"namespace allows (since Linux 3.8) that process to mount I</proc> "
+"filesystems."
+msgstr ""
+
+#
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Note, however, that mounting block-based filesystems can be done only by a "
+"process that holds B<CAP_SYS_ADMIN> in the initial user namespace."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Interaction of user namespaces and other types of namespaces"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Starting in Linux 3.8, unprivileged processes can create user namespaces, "
+"and the other types of namespaces can be created with just the "
+"B<CAP_SYS_ADMIN> capability in the caller's user namespace."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When a nonuser namespace is created, it is owned by the user namespace in "
+"which the creating process was a member at the time of the creation of the "
+"namespace. Privileged operations on resources governed by the nonuser "
+"namespace require that the process has the necessary capabilities in the "
+"user namespace that owns the nonuser namespace."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"If B<CLONE_NEWUSER> is specified along with other B<CLONE_NEW*> flags in a "
+"single B<clone>(2) or B<unshare>(2) call, the user namespace is guaranteed "
+"to be created first, giving the child (B<clone>(2)) or caller "
+"(B<unshare>(2)) privileges over the remaining namespaces created by the "
+"call. Thus, it is possible for an unprivileged caller to specify this "
+"combination of flags."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When a new namespace (other than a user namespace) is created via "
+"B<clone>(2) or B<unshare>(2), the kernel records the user namespace of the "
+"creating process as the owner of the new namespace. (This association can't "
+"be changed.) When a process in the new namespace subsequently performs "
+"privileged operations that operate on global resources isolated by the "
+"namespace, the permission checks are performed according to the process's "
+"capabilities in the user namespace that the kernel associated with the new "
+"namespace. For example, suppose that a process attempts to change the "
+"hostname (B<sethostname>(2)), a resource governed by the UTS namespace. In "
+"this case, the kernel will determine which user namespace owns the process's "
+"UTS namespace, and check whether the process has the required capability "
+"(B<CAP_SYS_ADMIN>) in that user namespace."
+msgstr ""
+
+#
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The B<NS_GET_USERNS> B<ioctl>(2) operation can be used to discover the user "
+"namespace that owns a nonuser namespace; see B<ioctl_ns>(2)."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "User and group ID mappings: uid_map and gid_map"
+msgstr ""
+
+#. commit 22d917d80e842829d0ca0a561967d728eb1d6303
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When a user namespace is created, it starts out without a mapping of user "
+"IDs (group IDs) to the parent user namespace. The I</proc/>pidI</uid_map> "
+"and I</proc/>pidI</gid_map> files (available since Linux 3.5) expose the "
+"mappings for user and group IDs inside the user namespace for the process "
+"I<pid>. These files can be read to view the mappings in a user namespace "
+"and written to (once) to define the mappings."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The description in the following paragraphs explains the details for "
+"I<uid_map>; I<gid_map> is exactly the same, but each instance of \"user ID\" "
+"is replaced by \"group ID\"."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The I<uid_map> file exposes the mapping of user IDs from the user namespace "
+"of the process I<pid> to the user namespace of the process that opened "
+"I<uid_map> (but see a qualification to this point below). In other words, "
+"processes that are in different user namespaces will potentially see "
+"different values when reading from a particular I<uid_map> file, depending "
+"on the user ID mappings for the user namespaces of the reading processes."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Each line in the I<uid_map> file specifies a 1-to-1 mapping of a range of "
+"contiguous user IDs between two user namespaces. (When a user namespace is "
+"first created, this file is empty.) The specification in each line takes "
+"the form of three numbers delimited by white space. The first two numbers "
+"specify the starting user ID in each of the two user namespaces. The third "
+"number specifies the length of the mapped range. In detail, the fields are "
+"interpreted as follows:"
+msgstr ""
+
+#. type: IP
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "(1)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The start of the range of user IDs in the user namespace of the process "
+"I<pid>."
+msgstr ""
+
+#. type: IP
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "(2)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The start of the range of user IDs to which the user IDs specified by field "
+"one map. How field two is interpreted depends on whether the process that "
+"opened I<uid_map> and the process I<pid> are in the same user namespace, as "
+"follows:"
+msgstr ""
+
+#. type: IP
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "(a)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"If the two processes are in different user namespaces: field two is the "
+"start of a range of user IDs in the user namespace of the process that "
+"opened I<uid_map>."
+msgstr ""
+
+#. type: IP
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "(b)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"If the two processes are in the same user namespace: field two is the start "
+"of the range of user IDs in the parent user namespace of the process "
+"I<pid>. This case enables the opener of I<uid_map> (the common case here is "
+"opening I</proc/self/uid_map>) to see the mapping of user IDs into the user "
+"namespace of the process that created this user namespace."
+msgstr ""
+
+#. type: IP
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "(3)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The length of the range of user IDs that is mapped between the two user "
+"namespaces."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"System calls that return user IDs (group IDs)\\[em]for example, "
+"B<getuid>(2), B<getgid>(2), and the credential fields in the structure "
+"returned by B<stat>(2)\\[em]return the user ID (group ID) mapped into the "
+"caller's user namespace."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When a process accesses a file, its user and group IDs are mapped into the "
+"initial user namespace for the purpose of permission checking and assigning "
+"IDs when creating a file. When a process retrieves file user and group IDs "
+"via B<stat>(2), the IDs are mapped in the opposite direction, to produce "
+"values relative to the process user and group ID mappings."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The initial user namespace has no parent namespace, but, for consistency, "
+"the kernel provides dummy user and group ID mapping files for this "
+"namespace. Looking at the I<uid_map> file (I<gid_map> is the same) from a "
+"shell in the initial namespace shows:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"$ B<cat /proc/$$/uid_map>\n"
+" 0 0 4294967295\n"
+msgstr ""
+
+#
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"This mapping tells us that the range starting at user ID 0 in this namespace "
+"maps to a range starting at 0 in the (nonexistent) parent namespace, and the "
+"length of the range is the largest 32-bit unsigned integer. This leaves "
+"4294967295 (the 32-bit signed -1 value) unmapped. This is deliberate: "
+"I<(uid_t)\\~-1> is used in several interfaces (e.g., B<setreuid>(2)) as a "
+"way to specify \"no user ID\". Leaving I<(uid_t)\\~-1> unmapped and "
+"unusable guarantees that there will be no confusion when using these "
+"interfaces."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Defining user and group ID mappings: writing to uid_map and gid_map"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"After the creation of a new user namespace, the I<uid_map> file of I<one> of "
+"the processes in the namespace may be written to I<once> to define the "
+"mapping of user IDs in the new user namespace. An attempt to write more "
+"than once to a I<uid_map> file in a user namespace fails with the error "
+"B<EPERM>. Similar rules apply for I<gid_map> files."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The lines written to I<uid_map> (I<gid_map>) must conform to the following "
+"validity rules:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The three fields must be valid numbers, and the last field must be greater "
+"than 0."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "Lines are terminated by newline characters."
+msgstr ""
+
+#. 5*12-byte records could fit in a 64B cache line
+#. commit 6397fac4915ab3002dc15aae751455da1a852f25
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"There is a limit on the number of lines in the file. In Linux 4.14 and "
+"earlier, this limit was (arbitrarily) set at 5 lines. Since Linux 4.15, "
+"the limit is 340 lines. In addition, the number of bytes written to the "
+"file must be less than the system page size, and the write must be performed "
+"at the start of the file (i.e., B<lseek>(2) and B<pwrite>(2) can't be used "
+"to write to nonzero offsets in the file)."
+msgstr ""
+
+#. commit 0bd14b4fd72afd5df41e9fd59f356740f22fceba
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The range of user IDs (group IDs) specified in each line cannot overlap "
+"with the ranges in any other lines. In the initial implementation (Linux "
+"3.8), this requirement was satisfied by a simplistic implementation that "
+"imposed the further requirement that the values in both field 1 and field 2 "
+"of successive lines must be in ascending numerical order, which prevented "
+"some otherwise valid maps from being created. Linux 3.9 and later fix this "
+"limitation, allowing any valid set of nonoverlapping maps."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "At least one line must be written to the file."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "Writes that violate the above rules fail with the error B<EINVAL>."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"In order for a process to write to the I</proc/>pidI</uid_map> (I</proc/"
+">pidI</gid_map>) file, all of the following permission requirements must be "
+"met:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The writing process must have the B<CAP_SETUID> (B<CAP_SETGID>) capability "
+"in the user namespace of the process I<pid>."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The writing process must either be in the user namespace of the process "
+"I<pid> or be in the parent user namespace of the process I<pid>."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The mapped user IDs (group IDs) must in turn have a mapping in the parent "
+"user namespace."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"If updating I</proc/>pidI</uid_map> to create a mapping that maps UID 0 in "
+"the parent namespace, then one of the following must be true:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"if writing process is in the parent user namespace, then it must have the "
+"B<CAP_SETFCAP> capability in that user namespace; or"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"if the writing process is in the child user namespace, then the process that "
+"created the user namespace must have had the B<CAP_SETFCAP> capability when "
+"the namespace was created."
+msgstr ""
+
+#. commit db2e718a47984b9d71ed890eb2ea36ecf150de18
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"This rule has been in place since Linux 5.12. It eliminates an earlier "
+"security bug whereby a UID 0 process that lacks the B<CAP_SETFCAP> "
+"capability, which is needed to create a binary with namespaced file "
+"capabilities (as described in B<capabilities>(7)), could nevertheless create "
+"such a binary, by the following steps:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Create a new user namespace with the identity mapping (i.e., UID 0 in the "
+"new user namespace maps to UID 0 in the parent namespace), so that UID 0 in "
+"both namespaces is equivalent to the same root user ID."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Since the child process has the B<CAP_SETFCAP> capability, it could create a "
+"binary with namespaced file capabilities that would then be effective in the "
+"parent user namespace (because the root user IDs are the same in the two "
+"namespaces)."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "One of the following two cases applies:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"I<Either> the writing process has the B<CAP_SETUID> (B<CAP_SETGID>) "
+"capability in the I<parent> user namespace."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"No further restrictions apply: the process can make mappings to arbitrary "
+"user IDs (group IDs) in the parent user namespace."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "I<Or> otherwise all of the following restrictions apply:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The data written to I<uid_map> (I<gid_map>) must consist of a single line "
+"that maps the writing process's effective user ID (group ID) in the parent "
+"user namespace to a user ID (group ID) in the user namespace."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The writing process must have the same effective user ID as the process that "
+"created the user namespace."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"In the case of I<gid_map>, use of the B<setgroups>(2) system call must "
+"first be denied by writing \\[dq]I<deny>\\[dq] to the I</proc/>pidI</"
+"setgroups> file (see below) before writing to I<gid_map>."
+msgstr ""
+
+#
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "Writes that violate the above rules fail with the error B<EPERM>."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Project ID mappings: projid_map"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Similarly to user and group ID mappings, it is possible to create project ID "
+"mappings for a user namespace. (Project IDs are used for disk quotas; see "
+"B<setquota>(8) and B<quotactl>(2).)"
+msgstr ""
+
+#. commit f76d207a66c3a53defea67e7d36c3eb1b7d6d61d
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Project ID mappings are defined by writing to the I</proc/>pidI</projid_map> "
+"file (present since Linux 3.7)."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The validity rules for writing to the I</proc/>pidI</projid_map> file are as "
+"for writing to the I<uid_map> file; violation of these rules causes "
+"B<write>(2) to fail with the error B<EINVAL>."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The permission rules for writing to the I</proc/>pidI</projid_map> file are "
+"as follows:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The mapped project IDs must in turn have a mapping in the parent user "
+"namespace."
+msgstr ""
+
+#
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Violation of these rules causes B<write>(2) to fail with the error B<EPERM>."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Interaction with system calls that change process UIDs or GIDs"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"In a user namespace where the I<uid_map> file has not been written, the "
+"system calls that change user IDs will fail. Similarly, if the I<gid_map> "
+"file has not been written, the system calls that change group IDs will "
+"fail. After the I<uid_map> and I<gid_map> files have been written, only the "
+"mapped values may be used in system calls that change user and group IDs."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"For user IDs, the relevant system calls include B<setuid>(2), "
+"B<setfsuid>(2), B<setreuid>(2), and B<setresuid>(2). For group IDs, the "
+"relevant system calls include B<setgid>(2), B<setfsgid>(2), B<setregid>(2), "
+"B<setresgid>(2), and B<setgroups>(2)."
+msgstr ""
+
+#
+#. Things changed in Linux 3.19
+#. commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
+#. commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
+#. http://lwn.net/Articles/626665/
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Writing \\[dq]I<deny>\\[dq] to the I</proc/>pidI</setgroups> file before "
+"writing to I</proc/>pidI</gid_map> will permanently disable B<setgroups>(2) "
+"in a user namespace and allow writing to I</proc/>pidI</gid_map> without "
+"having the B<CAP_SETGID> capability in the parent user namespace."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+#: opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "The I</proc/>pidI</setgroups> file"
+msgstr ""
+
+#
+#. commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
+#. commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
+#. http://lwn.net/Articles/626665/
+#. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8989
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The I</proc/>pidI</setgroups> file displays the string \\[dq]I<allow>\\[dq] "
+"if processes in the user namespace that contains the process I<pid> are "
+"permitted to employ the B<setgroups>(2) system call; it displays "
+"\\[dq]I<deny>\\[dq] if B<setgroups>(2) is not permitted in that user "
+"namespace. Note that regardless of the value in the I</proc/>pidI</"
+"setgroups> file (and regardless of the process's capabilities), calls to "
+"B<setgroups>(2) are also not permitted if I</proc/>pidI</gid_map> has not "
+"yet been set."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"A privileged process (one with the B<CAP_SYS_ADMIN> capability in the "
+"namespace) may write either of the strings \\[dq]I<allow>\\[dq] or "
+"\\[dq]I<deny>\\[dq] to this file I<before> writing a group ID mapping for "
+"this user namespace to the file I</proc/>pidI</gid_map>. Writing the string "
+"\\[dq]I<deny>\\[dq] prevents any process in the user namespace from "
+"employing B<setgroups>(2)."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The essence of the restrictions described in the preceding paragraph is that "
+"it is permitted to write to I</proc/>pidI</setgroups> only so long as "
+"calling B<setgroups>(2) is disallowed because I</proc/>pidI</gid_map> has "
+"not been set. This ensures that a process cannot transition from a state "
+"where B<setgroups>(2) is allowed to a state where B<setgroups>(2) is "
+"denied; a process can transition only from B<setgroups>(2) being disallowed "
+"to B<setgroups>(2) being allowed."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The default value of this file in the initial user namespace is "
+"\\[dq]I<allow>\\[dq]."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Once I</proc/>pidI</gid_map> has been written to (which has the effect of "
+"enabling B<setgroups>(2) in the user namespace), it is no longer possible "
+"to disallow B<setgroups>(2) by writing \\[dq]I<deny>\\[dq] to I</proc/"
+">pidI</setgroups> (the write fails with the error B<EPERM>)."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"A child user namespace inherits the I</proc/>pidI</setgroups> setting from "
+"its parent."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"If the I<setgroups> file has the value \\[dq]I<deny>\\[dq], then the "
+"B<setgroups>(2) system call can't subsequently be reenabled (by writing "
+"\\[dq]I<allow>\\[dq] to the file) in this user namespace. (Attempts to do "
+"so fail with the error B<EPERM>.) This restriction also propagates down to "
+"all child user namespaces of this user namespace."
+msgstr ""
+
+#
+#
+#
+#
+#. /proc/PID/setgroups
+#. [allow == setgroups() is allowed, "deny" == setgroups() is disallowed]
+#. * Can write if have CAP_SYS_ADMIN in NS
+#. * Must write BEFORE writing to /proc/PID/gid_map
+#. setgroups()
+#. * Must already have written to gid_map
+#. * /proc/PID/setgroups must be "allow"
+#. /proc/PID/gid_map -- writing
+#. * Must already have written "deny" to /proc/PID/setgroups
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The I</proc/>pidI</setgroups> file was added in Linux 3.19, but was "
+"backported to many earlier stable kernel series, because it addresses a "
+"security issue. The issue concerned files with permissions such as \"rwx---"
+"rwx\". Such files give fewer permissions to \"group\" than they do to "
+"\"other\". This means that dropping groups using B<setgroups>(2) might "
+"allow a process file access that it did not formerly have. Before the "
+"existence of user namespaces this was not a concern, since only a privileged "
+"process (one with the B<CAP_SETGID> capability) could call B<setgroups>(2). "
+"However, with the introduction of user namespaces, it became possible for an "
+"unprivileged process to create a new namespace in which the user had all "
+"privileges. This then allowed formerly unprivileged users to drop groups "
+"and thus gain file access that they did not previously have. The I</proc/"
+">pidI</setgroups> file was added to address this security issue, by denying "
+"any pathway for an unprivileged process to drop groups with B<setgroups>(2)."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Unmapped user and group IDs"
+msgstr ""
+
+#. from_kuid_munged(), from_kgid_munged()
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"There are various places where an unmapped user ID (group ID) may be "
+"exposed to user space. For example, the first process in a new user "
+"namespace may call B<getuid>(2) before a user ID mapping has been defined "
+"for the namespace. In most such cases, an unmapped user ID is converted to "
+"the overflow user ID (group ID); the default value for the overflow user ID "
+"(group ID) is 65534. See the descriptions of I</proc/sys/kernel/"
+"overflowuid> and I</proc/sys/kernel/overflowgid> in B<proc>(5)."
+msgstr ""
+
+#. also SO_PEERCRED
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The cases where unmapped IDs are mapped in this fashion include system calls "
+"that return user IDs (B<getuid>(2), B<getgid>(2), and similar), credentials "
+"passed over a UNIX domain socket, credentials returned by B<stat>(2), "
+"B<waitid>(2), and the System V IPC \"ctl\" B<IPC_STAT> operations, "
+"credentials exposed by I</proc/>pidI</status> and the files in I</proc/"
+"sysvipc/*>, credentials returned via the I<si_uid> field in the I<siginfo_t> "
+"received with a signal (see B<sigaction>(2)), credentials written to the "
+"process accounting file (see B<acct>(5)), and credentials returned with "
+"POSIX message queue notifications (see B<mq_notify>(3))."
+msgstr ""
+
+#
+#. from_kuid(), from_kgid()
+#. Also F_GETOWNER_UIDS is an exception
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"There is one notable case where unmapped user and group IDs are I<not> "
+"converted to the corresponding overflow ID value. When viewing a I<uid_map> "
+"or I<gid_map> file in which there is no mapping for the second field, that "
+"field is displayed as 4294967295 (-1 as an unsigned integer)."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Accessing files"
+msgstr ""
+
+#
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"In order to determine permissions when an unprivileged process accesses a "
+"file, the process credentials (UID, GID) and the file credentials are in "
+"effect mapped back to what they would be in the initial user namespace and "
+"then compared to determine the permissions that the process has on the "
+"file. The same is also true of other objects that employ the credentials "
+"plus permissions mask accessibility model, such as System V IPC objects."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Operation of file-related capabilities"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Certain capabilities allow a process to bypass various kernel-enforced "
+"restrictions when performing operations on files owned by other users or "
+"groups. These capabilities are: B<CAP_CHOWN>, B<CAP_DAC_OVERRIDE>, "
+"B<CAP_DAC_READ_SEARCH>, B<CAP_FOWNER>, and B<CAP_FSETID>."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Within a user namespace, these capabilities allow a process to bypass the "
+"rules if the process has the relevant capability over the file, meaning that:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"the process has the relevant effective capability in its user namespace; and"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"the file's user ID and group ID both have valid mappings in the user "
+"namespace."
+msgstr ""
+
+#
+#. These are the checks performed by the kernel function
+#. inode_owner_or_capable(). There is one exception to the exception:
+#. overriding the directory sticky permission bit requires that
+#. the file has a valid mapping for both its UID and GID.
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The B<CAP_FOWNER> capability is treated somewhat exceptionally: it allows a "
+"process to bypass the corresponding rules so long as at least the file's "
+"user ID has a mapping in the user namespace (i.e., the file's group ID does "
+"not need to have a valid mapping)."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Set-user-ID and set-group-ID programs"
+msgstr ""
+
+#
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When a process inside a user namespace executes a set-user-ID (set-group-ID) "
+"program, the process's effective user (group) ID inside the namespace is "
+"changed to whatever value is mapped for the user (group) ID of the file. "
+"However, if either the user I<or> the group ID of the file has no mapping "
+"inside the namespace, the set-user-ID (set-group-ID) bit is silently "
+"ignored: the new program is executed, but the process's effective user "
+"(group) ID is left unchanged. (This mirrors the semantics of executing a "
+"set-user-ID or set-group-ID program that resides on a filesystem that was "
+"mounted with the B<MS_NOSUID> flag, as described in B<mount>(2).)"
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Miscellaneous"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When a process's user and group IDs are passed over a UNIX domain socket to "
+"a process in a different user namespace (see the description of "
+"B<SCM_CREDENTIALS> in B<unix>(7)), they are translated into the "
+"corresponding values as per the receiving process's user and group ID "
+"mappings."
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "STANDARDS"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+#: opensuse-leap-15-6 opensuse-tumbleweed
+msgid "Linux."
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "NOTES"
+msgstr ""
+
+#
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Over the years, there have been a lot of features that have been added to "
+"the Linux kernel that have been made available only to privileged users "
+"because of their potential to confuse set-user-ID-root applications. In "
+"general, it becomes safe to allow the root user in a user namespace to use "
+"those features because it is impossible, while in a user namespace, to gain "
+"more privilege than the root user of a user namespace has."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Global root"
+msgstr ""
+
+#
+#. ============================================================
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The term \"global root\" is sometimes used as a shorthand for user ID 0 in "
+"the initial user namespace."
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Availability"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Use of user namespaces requires a kernel that is configured with the "
+"B<CONFIG_USER_NS> option. User namespaces require support in a range of "
+"subsystems across the kernel. When an unsupported subsystem is configured "
+"into the kernel, it is not possible to configure user namespaces support."
+msgstr ""
+
+#. commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"As at Linux 3.8, most relevant subsystems supported user namespaces, but a "
+"number of filesystems did not have the infrastructure needed to map user and "
+"group IDs between user namespaces. Linux 3.9 added the required "
+"infrastructure support for many of the remaining unsupported filesystems "
+"(Plan 9 (9P), Andrew File System (AFS), Ceph, CIFS, CODA, NFS, and OCFS2). "
+"Linux 3.12 added support for the last of the unsupported major filesystems, "
+"XFS."
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "EXAMPLES"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The program below is designed to allow experimenting with user namespaces, "
+"as well as other types of namespaces. It creates namespaces as specified by "
+"command-line options and then executes a command inside those namespaces. "
+"The comments and I<usage>() function inside the program provide a full "
+"explanation of the program. The following shell session demonstrates its "
+"use."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "First, we look at the run-time environment:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"$ B<uname -rs> # Need Linux 3.8 or later\n"
+"Linux 3.8.0\n"
+"$ B<id -u> # Running as unprivileged user\n"
+"1000\n"
+"$ B<id -g>\n"
+"1000\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Now start a new shell in new user (I<-U>), mount (I<-m>), and PID (I<-p>) "
+"namespaces, with user ID (I<-M>) and group ID (I<-G>) 1000 mapped to 0 "
+"inside the user namespace:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "$ B<./userns_child_exec -p -m -U -M \\[aq]0 1000 1\\[aq] -G \\[aq]0 1000 1\\[aq] bash>\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The shell has PID 1, because it is the first process in the new PID "
+"namespace:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"bash$ B<echo $$>\n"
+"1\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Mounting a new I</proc> filesystem and listing all of the processes visible "
+"in the new PID namespace shows that the shell can't see any processes "
+"outside the PID namespace:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"bash$ B<mount -t proc proc /proc>\n"
+"bash$ B<ps ax>\n"
+" PID TTY STAT TIME COMMAND\n"
+" 1 pts/3 S 0:00 bash\n"
+" 22 pts/3 R+ 0:00 ps ax\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Inside the user namespace, the shell has user and group ID 0, and a full set "
+"of permitted and effective capabilities:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"bash$ B<cat /proc/$$/status | egrep \\[aq]\\[ha][UG]id\\[aq]>\n"
+"Uid:\t0\t0\t0\t0\n"
+"Gid:\t0\t0\t0\t0\n"
+"bash$ B<cat /proc/$$/status | egrep \\[aq]\\[ha]Cap(Prm|Inh|Eff)\\[aq]>\n"
+"CapInh:\t0000000000000000\n"
+"CapPrm:\t0000001fffffffff\n"
+"CapEff:\t0000001fffffffff\n"
+msgstr ""
+
+#. type: SS
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "Program source"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+#: opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"/* userns_child_exec.c\n"
+"\\&\n"
+" Licensed under GNU General Public License v2 or later\n"
+"\\&\n"
+" Create a child process that executes a shell command in new\n"
+" namespace(s); allow UID and GID mappings to be specified when\n"
+" creating a user namespace.\n"
+"*/\n"
+"#define _GNU_SOURCE\n"
+"#include E<lt>err.hE<gt>\n"
+"#include E<lt>sched.hE<gt>\n"
+"#include E<lt>unistd.hE<gt>\n"
+"#include E<lt>stdint.hE<gt>\n"
+"#include E<lt>stdlib.hE<gt>\n"
+"#include E<lt>sys/wait.hE<gt>\n"
+"#include E<lt>signal.hE<gt>\n"
+"#include E<lt>fcntl.hE<gt>\n"
+"#include E<lt>stdio.hE<gt>\n"
+"#include E<lt>string.hE<gt>\n"
+"#include E<lt>limits.hE<gt>\n"
+"#include E<lt>errno.hE<gt>\n"
+"\\&\n"
+"struct child_args {\n"
+" char **argv; /* Command to be executed by child, with args */\n"
+" int pipe_fd[2]; /* Pipe used to synchronize parent and child */\n"
+"};\n"
+"\\&\n"
+"static int verbose;\n"
+"\\&\n"
+"static void\n"
+"usage(char *pname)\n"
+"{\n"
+" fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n"
+" fprintf(stderr, \"Create a child process that executes a shell \"\n"
+" \"command in a new user namespace,\\en\"\n"
+" \"and possibly also other new namespace(s).\\en\\en\");\n"
+" fprintf(stderr, \"Options can be:\\en\\en\");\n"
+"#define fpe(str) fprintf(stderr, \" %s\", str);\n"
+" fpe(\"-i New IPC namespace\\en\");\n"
+" fpe(\"-m New mount namespace\\en\");\n"
+" fpe(\"-n New network namespace\\en\");\n"
+" fpe(\"-p New PID namespace\\en\");\n"
+" fpe(\"-u New UTS namespace\\en\");\n"
+" fpe(\"-U New user namespace\\en\");\n"
+" fpe(\"-M uid_map Specify UID map for user namespace\\en\");\n"
+" fpe(\"-G gid_map Specify GID map for user namespace\\en\");\n"
+" fpe(\"-z Map user\\[aq]s UID and GID to 0 in user namespace\\en\");\n"
+" fpe(\" (equivalent to: -M \\[aq]0 E<lt>uidE<gt> 1\\[aq] -G \\[aq]0 E<lt>gidE<gt> 1\\[aq])\\en\");\n"
+" fpe(\"-v Display verbose messages\\en\");\n"
+" fpe(\"\\en\");\n"
+" fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n"
+" fpe(\"It is not permitted to specify both -z and either -M or -G.\\en\");\n"
+" fpe(\"\\en\");\n"
+" fpe(\"Map strings for -M and -G consist of records of the form:\\en\");\n"
+" fpe(\"\\en\");\n"
+" fpe(\" ID-inside-ns ID-outside-ns len\\en\");\n"
+" fpe(\"\\en\");\n"
+" fpe(\"A map string can contain multiple records, separated\"\n"
+" \" by commas;\\en\");\n"
+" fpe(\"the commas are replaced by newlines before writing\"\n"
+" \" to map files.\\en\");\n"
+"\\&\n"
+" exit(EXIT_FAILURE);\n"
+"}\n"
+"\\&\n"
+"/* Update the mapping file \\[aq]map_file\\[aq], with the value provided in\n"
+" \\[aq]mapping\\[aq], a string that defines a UID or GID mapping. A UID or\n"
+" GID mapping consists of one or more newline-delimited records\n"
+" of the form:\n"
+"\\&\n"
+" ID_inside-ns ID-outside-ns length\n"
+"\\&\n"
+" Requiring the user to supply a string that contains newlines is\n"
+" of course inconvenient for command-line use. Thus, we permit the\n"
+" use of commas to delimit records in this string, and replace them\n"
+" with newlines before writing the string to the file. */\n"
+"\\&\n"
+"static void\n"
+"update_map(char *mapping, char *map_file)\n"
+"{\n"
+" int fd;\n"
+" size_t map_len; /* Length of \\[aq]mapping\\[aq] */\n"
+"\\&\n"
+" /* Replace commas in mapping string with newlines. */\n"
+"\\&\n"
+" map_len = strlen(mapping);\n"
+" for (size_t j = 0; j E<lt> map_len; j++)\n"
+" if (mapping[j] == \\[aq],\\[aq])\n"
+" mapping[j] = \\[aq]\\en\\[aq];\n"
+"\\&\n"
+" fd = open(map_file, O_RDWR);\n"
+" if (fd == -1) {\n"
+" fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n"
+" strerror(errno));\n"
+" exit(EXIT_FAILURE);\n"
+" }\n"
+"\\&\n"
+" if (write(fd, mapping, map_len) != map_len) {\n"
+" fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n"
+" strerror(errno));\n"
+" exit(EXIT_FAILURE);\n"
+" }\n"
+"\\&\n"
+" close(fd);\n"
+"}\n"
+"\\&\n"
+"/* Linux 3.19 made a change in the handling of setgroups(2) and\n"
+" the \\[aq]gid_map\\[aq] file to address a security issue. The issue\n"
+" allowed *unprivileged* users to employ user namespaces in\n"
+" order to drop groups. The upshot of the 3.19 changes is that\n"
+" in order to update the \\[aq]gid_maps\\[aq] file, use of the setgroups()\n"
+" system call in this user namespace must first be disabled by\n"
+" writing \"deny\" to one of the /proc/PID/setgroups files for\n"
+" this namespace. That is the purpose of the following function. */\n"
+"\\&\n"
+"static void\n"
+"proc_setgroups_write(pid_t child_pid, char *str)\n"
+"{\n"
+" char setgroups_path[PATH_MAX];\n"
+" int fd;\n"
+"\\&\n"
+" snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n"
+" (intmax_t) child_pid);\n"
+"\\&\n"
+" fd = open(setgroups_path, O_RDWR);\n"
+" if (fd == -1) {\n"
+"\\&\n"
+" /* We may be on a system that doesn\\[aq]t support\n"
+" /proc/PID/setgroups. In that case, the file won\\[aq]t exist,\n"
+" and the system won\\[aq]t impose the restrictions that Linux 3.19\n"
+" added. That\\[aq]s fine: we don\\[aq]t need to do anything in order\n"
+" to permit \\[aq]gid_map\\[aq] to be updated.\n"
+"\\&\n"
+" However, if the error from open() was something other than\n"
+" the ENOENT error that is expected for that case, let the\n"
+" user know. */\n"
+"\\&\n"
+" if (errno != ENOENT)\n"
+" fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n"
+" strerror(errno));\n"
+" return;\n"
+" }\n"
+"\\&\n"
+" if (write(fd, str, strlen(str)) == -1)\n"
+" fprintf(stderr, \"ERROR: write %s: %s\\en\", setgroups_path,\n"
+" strerror(errno));\n"
+"\\&\n"
+" close(fd);\n"
+"}\n"
+"\\&\n"
+"static int /* Start function for cloned child */\n"
+"childFunc(void *arg)\n"
+"{\n"
+" struct child_args *args = arg;\n"
+" char ch;\n"
+"\\&\n"
+" /* Wait until the parent has updated the UID and GID mappings.\n"
+" See the comment in main(). We wait for end of file on a\n"
+" pipe that will be closed by the parent process once it has\n"
+" updated the mappings. */\n"
+"\\&\n"
+" close(args-E<gt>pipe_fd[1]); /* Close our descriptor for the write\n"
+" end of the pipe so that we see EOF\n"
+" when parent closes its descriptor. */\n"
+" if (read(args-E<gt>pipe_fd[0], &ch, 1) != 0) {\n"
+" fprintf(stderr,\n"
+" \"Failure in child: read from pipe returned != 0\\en\");\n"
+" exit(EXIT_FAILURE);\n"
+" }\n"
+"\\&\n"
+" close(args-E<gt>pipe_fd[0]);\n"
+"\\&\n"
+" /* Execute a shell command. */\n"
+"\\&\n"
+" printf(\"About to exec %s\\en\", args-E<gt>argv[0]);\n"
+" execvp(args-E<gt>argv[0], args-E<gt>argv);\n"
+" err(EXIT_FAILURE, \"execvp\");\n"
+"}\n"
+"\\&\n"
+"#define STACK_SIZE (1024 * 1024)\n"
+"\\&\n"
+"static char child_stack[STACK_SIZE]; /* Space for child\\[aq]s stack */\n"
+"\\&\n"
+"int\n"
+"main(int argc, char *argv[])\n"
+"{\n"
+" int flags, opt, map_zero;\n"
+" pid_t child_pid;\n"
+" struct child_args args;\n"
+" char *uid_map, *gid_map;\n"
+" const int MAP_BUF_SIZE = 100;\n"
+" char map_buf[MAP_BUF_SIZE];\n"
+" char map_path[PATH_MAX];\n"
+"\\&\n"
+" /* Parse command-line options. The initial \\[aq]+\\[aq] character in\n"
+" the final getopt() argument prevents GNU-style permutation\n"
+" of command-line options. That\\[aq]s useful, since sometimes\n"
+" the \\[aq]command\\[aq] to be executed by this program itself\n"
+" has command-line options. We don\\[aq]t want getopt() to treat\n"
+" those as options to this program. */\n"
+"\\&\n"
+" flags = 0;\n"
+" verbose = 0;\n"
+" gid_map = NULL;\n"
+" uid_map = NULL;\n"
+" map_zero = 0;\n"
+" while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n"
+" switch (opt) {\n"
+" case \\[aq]i\\[aq]: flags |= CLONE_NEWIPC; break;\n"
+" case \\[aq]m\\[aq]: flags |= CLONE_NEWNS; break;\n"
+" case \\[aq]n\\[aq]: flags |= CLONE_NEWNET; break;\n"
+" case \\[aq]p\\[aq]: flags |= CLONE_NEWPID; break;\n"
+" case \\[aq]u\\[aq]: flags |= CLONE_NEWUTS; break;\n"
+" case \\[aq]v\\[aq]: verbose = 1; break;\n"
+" case \\[aq]z\\[aq]: map_zero = 1; break;\n"
+" case \\[aq]M\\[aq]: uid_map = optarg; break;\n"
+" case \\[aq]G\\[aq]: gid_map = optarg; break;\n"
+" case \\[aq]U\\[aq]: flags |= CLONE_NEWUSER; break;\n"
+" default: usage(argv[0]);\n"
+" }\n"
+" }\n"
+"\\&\n"
+" /* -M or -G without -U is nonsensical */\n"
+"\\&\n"
+" if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n"
+" !(flags & CLONE_NEWUSER)) ||\n"
+" (map_zero && (uid_map != NULL || gid_map != NULL)))\n"
+" usage(argv[0]);\n"
+"\\&\n"
+" args.argv = &argv[optind];\n"
+"\\&\n"
+" /* We use a pipe to synchronize the parent and child, in order to\n"
+" ensure that the parent sets the UID and GID maps before the child\n"
+" calls execve(). This ensures that the child maintains its\n"
+" capabilities during the execve() in the common case where we\n"
+" want to map the child\\[aq]s effective user ID to 0 in the new user\n"
+" namespace. Without this synchronization, the child would lose\n"
+" its capabilities if it performed an execve() with nonzero\n"
+" user IDs (see the capabilities(7) man page for details of the\n"
+" transformation of a process\\[aq]s capabilities during execve()). */\n"
+"\\&\n"
+" if (pipe(args.pipe_fd) == -1)\n"
+" err(EXIT_FAILURE, \"pipe\");\n"
+"\\&\n"
+" /* Create the child in new namespace(s). */\n"
+"\\&\n"
+" child_pid = clone(childFunc, child_stack + STACK_SIZE,\n"
+" flags | SIGCHLD, &args);\n"
+" if (child_pid == -1)\n"
+" err(EXIT_FAILURE, \"clone\");\n"
+"\\&\n"
+" /* Parent falls through to here. */\n"
+"\\&\n"
+" if (verbose)\n"
+" printf(\"%s: PID of child created by clone() is %jd\\en\",\n"
+" argv[0], (intmax_t) child_pid);\n"
+"\\&\n"
+" /* Update the UID and GID maps in the child. */\n"
+"\\&\n"
+" if (uid_map != NULL || map_zero) {\n"
+" snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n"
+" (intmax_t) child_pid);\n"
+" if (map_zero) {\n"
+" snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n"
+" (intmax_t) getuid());\n"
+" uid_map = map_buf;\n"
+" }\n"
+" update_map(uid_map, map_path);\n"
+" }\n"
+"\\&\n"
+" if (gid_map != NULL || map_zero) {\n"
+" proc_setgroups_write(child_pid, \"deny\");\n"
+"\\&\n"
+" snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n"
+" (intmax_t) child_pid);\n"
+" if (map_zero) {\n"
+" snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n"
+" (intmax_t) getgid());\n"
+" gid_map = map_buf;\n"
+" }\n"
+" update_map(gid_map, map_path);\n"
+" }\n"
+"\\&\n"
+" /* Close the write end of the pipe, to signal to the child that we\n"
+" have updated the UID and GID maps. */\n"
+"\\&\n"
+" close(args.pipe_fd[1]);\n"
+"\\&\n"
+" if (waitpid(child_pid, NULL, 0) == -1) /* Wait for child */\n"
+" err(EXIT_FAILURE, \"waitpid\");\n"
+"\\&\n"
+" if (verbose)\n"
+" printf(\"%s: terminating\\en\", argv[0]);\n"
+"\\&\n"
+" exit(EXIT_SUCCESS);\n"
+"}\n"
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. From the shadow package
+#. From the shadow package
+#. From the shadow package
+#. From the shadow package
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"B<newgidmap>(1), B<newuidmap>(1), B<clone>(2), B<ptrace>(2), B<setns>(2), "
+"B<unshare>(2), B<proc>(5), B<subgid>(5), B<subuid>(5), B<capabilities>(7), "
+"B<cgroup_namespaces>(7), B<credentials>(7), B<namespaces>(7), "
+"B<pid_namespaces>(7)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The kernel source file I<Documentation/admin-guide/namespaces/resource-"
+"control.rst>."
+msgstr ""
+
+#. type: TH
+#: debian-bookworm
+#, no-wrap
+msgid "2023-02-05"
+msgstr ""
+
+#. type: TH
+#: debian-bookworm
+#, no-wrap
+msgid "Linux man-pages 6.03"
+msgstr ""
+
+#. type: SS
+#: debian-bookworm
+#, no-wrap
+msgid "The /proc/I<pid>/setgroups file"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm
+msgid "Namespaces are a Linux-specific feature."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid "/* userns_child_exec.c\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid " Licensed under GNU General Public License v2 or later\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" Create a child process that executes a shell command in new\n"
+" namespace(s); allow UID and GID mappings to be specified when\n"
+" creating a user namespace.\n"
+"*/\n"
+"#define _GNU_SOURCE\n"
+"#include E<lt>err.hE<gt>\n"
+"#include E<lt>sched.hE<gt>\n"
+"#include E<lt>unistd.hE<gt>\n"
+"#include E<lt>stdint.hE<gt>\n"
+"#include E<lt>stdlib.hE<gt>\n"
+"#include E<lt>sys/wait.hE<gt>\n"
+"#include E<lt>signal.hE<gt>\n"
+"#include E<lt>fcntl.hE<gt>\n"
+"#include E<lt>stdio.hE<gt>\n"
+"#include E<lt>string.hE<gt>\n"
+"#include E<lt>limits.hE<gt>\n"
+"#include E<lt>errno.hE<gt>\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+"struct child_args {\n"
+" char **argv; /* Command to be executed by child, with args */\n"
+" int pipe_fd[2]; /* Pipe used to synchronize parent and child */\n"
+"};\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid "static int verbose;\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+"static void\n"
+"usage(char *pname)\n"
+"{\n"
+" fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n"
+" fprintf(stderr, \"Create a child process that executes a shell \"\n"
+" \"command in a new user namespace,\\en\"\n"
+" \"and possibly also other new namespace(s).\\en\\en\");\n"
+" fprintf(stderr, \"Options can be:\\en\\en\");\n"
+"#define fpe(str) fprintf(stderr, \" %s\", str);\n"
+" fpe(\"-i New IPC namespace\\en\");\n"
+" fpe(\"-m New mount namespace\\en\");\n"
+" fpe(\"-n New network namespace\\en\");\n"
+" fpe(\"-p New PID namespace\\en\");\n"
+" fpe(\"-u New UTS namespace\\en\");\n"
+" fpe(\"-U New user namespace\\en\");\n"
+" fpe(\"-M uid_map Specify UID map for user namespace\\en\");\n"
+" fpe(\"-G gid_map Specify GID map for user namespace\\en\");\n"
+" fpe(\"-z Map user\\[aq]s UID and GID to 0 in user namespace\\en\");\n"
+" fpe(\" (equivalent to: -M \\[aq]0 E<lt>uidE<gt> 1\\[aq] -G \\[aq]0 E<lt>gidE<gt> 1\\[aq])\\en\");\n"
+" fpe(\"-v Display verbose messages\\en\");\n"
+" fpe(\"\\en\");\n"
+" fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n"
+" fpe(\"It is not permitted to specify both -z and either -M or -G.\\en\");\n"
+" fpe(\"\\en\");\n"
+" fpe(\"Map strings for -M and -G consist of records of the form:\\en\");\n"
+" fpe(\"\\en\");\n"
+" fpe(\" ID-inside-ns ID-outside-ns len\\en\");\n"
+" fpe(\"\\en\");\n"
+" fpe(\"A map string can contain multiple records, separated\"\n"
+" \" by commas;\\en\");\n"
+" fpe(\"the commas are replaced by newlines before writing\"\n"
+" \" to map files.\\en\");\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" exit(EXIT_FAILURE);\n"
+"}\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+"/* Update the mapping file \\[aq]map_file\\[aq], with the value provided in\n"
+" \\[aq]mapping\\[aq], a string that defines a UID or GID mapping. A UID or\n"
+" GID mapping consists of one or more newline-delimited records\n"
+" of the form:\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid " ID_inside-ns ID-outside-ns length\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" Requiring the user to supply a string that contains newlines is\n"
+" of course inconvenient for command-line use. Thus, we permit the\n"
+" use of commas to delimit records in this string, and replace them\n"
+" with newlines before writing the string to the file. */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+"static void\n"
+"update_map(char *mapping, char *map_file)\n"
+"{\n"
+" int fd;\n"
+" size_t map_len; /* Length of \\[aq]mapping\\[aq] */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid " /* Replace commas in mapping string with newlines. */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" map_len = strlen(mapping);\n"
+" for (size_t j = 0; j E<lt> map_len; j++)\n"
+" if (mapping[j] == \\[aq],\\[aq])\n"
+" mapping[j] = \\[aq]\\en\\[aq];\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" fd = open(map_file, O_RDWR);\n"
+" if (fd == -1) {\n"
+" fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n"
+" strerror(errno));\n"
+" exit(EXIT_FAILURE);\n"
+" }\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" if (write(fd, mapping, map_len) != map_len) {\n"
+" fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n"
+" strerror(errno));\n"
+" exit(EXIT_FAILURE);\n"
+" }\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" close(fd);\n"
+"}\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+"/* Linux 3.19 made a change in the handling of setgroups(2) and the\n"
+" \\[aq]gid_map\\[aq] file to address a security issue. The issue allowed\n"
+" *unprivileged* users to employ user namespaces in order to drop groups.\n"
+" The upshot of the 3.19 changes is that in order to update the\n"
+" \\[aq]gid_maps\\[aq] file, use of the setgroups() system call in this\n"
+" user namespace must first be disabled by writing \"deny\" to one of\n"
+" the /proc/PID/setgroups files for this namespace. That is the\n"
+" purpose of the following function. */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+"static void\n"
+"proc_setgroups_write(pid_t child_pid, char *str)\n"
+"{\n"
+" char setgroups_path[PATH_MAX];\n"
+" int fd;\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n"
+" (intmax_t) child_pid);\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" fd = open(setgroups_path, O_RDWR);\n"
+" if (fd == -1) {\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" /* We may be on a system that doesn\\[aq]t support\n"
+" /proc/PID/setgroups. In that case, the file won\\[aq]t exist,\n"
+" and the system won\\[aq]t impose the restrictions that Linux 3.19\n"
+" added. That\\[aq]s fine: we don\\[aq]t need to do anything in order\n"
+" to permit \\[aq]gid_map\\[aq] to be updated.\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" However, if the error from open() was something other than\n"
+" the ENOENT error that is expected for that case, let the\n"
+" user know. */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" if (errno != ENOENT)\n"
+" fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n"
+" strerror(errno));\n"
+" return;\n"
+" }\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" if (write(fd, str, strlen(str)) == -1)\n"
+" fprintf(stderr, \"ERROR: write %s: %s\\en\", setgroups_path,\n"
+" strerror(errno));\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+"static int /* Start function for cloned child */\n"
+"childFunc(void *arg)\n"
+"{\n"
+" struct child_args *args = arg;\n"
+" char ch;\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" /* Wait until the parent has updated the UID and GID mappings.\n"
+" See the comment in main(). We wait for end of file on a\n"
+" pipe that will be closed by the parent process once it has\n"
+" updated the mappings. */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" close(args-E<gt>pipe_fd[1]); /* Close our descriptor for the write\n"
+" end of the pipe so that we see EOF\n"
+" when parent closes its descriptor. */\n"
+" if (read(args-E<gt>pipe_fd[0], &ch, 1) != 0) {\n"
+" fprintf(stderr,\n"
+" \"Failure in child: read from pipe returned != 0\\en\");\n"
+" exit(EXIT_FAILURE);\n"
+" }\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid " close(args-E<gt>pipe_fd[0]);\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid " /* Execute a shell command. */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" printf(\"About to exec %s\\en\", args-E<gt>argv[0]);\n"
+" execvp(args-E<gt>argv[0], args-E<gt>argv);\n"
+" err(EXIT_FAILURE, \"execvp\");\n"
+"}\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid "#define STACK_SIZE (1024 * 1024)\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid "static char child_stack[STACK_SIZE]; /* Space for child\\[aq]s stack */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+"int\n"
+"main(int argc, char *argv[])\n"
+"{\n"
+" int flags, opt, map_zero;\n"
+" pid_t child_pid;\n"
+" struct child_args args;\n"
+" char *uid_map, *gid_map;\n"
+" const int MAP_BUF_SIZE = 100;\n"
+" char map_buf[MAP_BUF_SIZE];\n"
+" char map_path[PATH_MAX];\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" /* Parse command-line options. The initial \\[aq]+\\[aq] character in\n"
+" the final getopt() argument prevents GNU-style permutation\n"
+" of command-line options. That\\[aq]s useful, since sometimes\n"
+" the \\[aq]command\\[aq] to be executed by this program itself\n"
+" has command-line options. We don\\[aq]t want getopt() to treat\n"
+" those as options to this program. */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" flags = 0;\n"
+" verbose = 0;\n"
+" gid_map = NULL;\n"
+" uid_map = NULL;\n"
+" map_zero = 0;\n"
+" while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n"
+" switch (opt) {\n"
+" case \\[aq]i\\[aq]: flags |= CLONE_NEWIPC; break;\n"
+" case \\[aq]m\\[aq]: flags |= CLONE_NEWNS; break;\n"
+" case \\[aq]n\\[aq]: flags |= CLONE_NEWNET; break;\n"
+" case \\[aq]p\\[aq]: flags |= CLONE_NEWPID; break;\n"
+" case \\[aq]u\\[aq]: flags |= CLONE_NEWUTS; break;\n"
+" case \\[aq]v\\[aq]: verbose = 1; break;\n"
+" case \\[aq]z\\[aq]: map_zero = 1; break;\n"
+" case \\[aq]M\\[aq]: uid_map = optarg; break;\n"
+" case \\[aq]G\\[aq]: gid_map = optarg; break;\n"
+" case \\[aq]U\\[aq]: flags |= CLONE_NEWUSER; break;\n"
+" default: usage(argv[0]);\n"
+" }\n"
+" }\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid " /* -M or -G without -U is nonsensical */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n"
+" !(flags & CLONE_NEWUSER)) ||\n"
+" (map_zero && (uid_map != NULL || gid_map != NULL)))\n"
+" usage(argv[0]);\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid " args.argv = &argv[optind];\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" /* We use a pipe to synchronize the parent and child, in order to\n"
+" ensure that the parent sets the UID and GID maps before the child\n"
+" calls execve(). This ensures that the child maintains its\n"
+" capabilities during the execve() in the common case where we\n"
+" want to map the child\\[aq]s effective user ID to 0 in the new user\n"
+" namespace. Without this synchronization, the child would lose\n"
+" its capabilities if it performed an execve() with nonzero\n"
+" user IDs (see the capabilities(7) man page for details of the\n"
+" transformation of a process\\[aq]s capabilities during execve()). */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" if (pipe(args.pipe_fd) == -1)\n"
+" err(EXIT_FAILURE, \"pipe\");\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid " /* Create the child in new namespace(s). */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" child_pid = clone(childFunc, child_stack + STACK_SIZE,\n"
+" flags | SIGCHLD, &args);\n"
+" if (child_pid == -1)\n"
+" err(EXIT_FAILURE, \"clone\");\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid " /* Parent falls through to here. */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" if (verbose)\n"
+" printf(\"%s: PID of child created by clone() is %jd\\en\",\n"
+" argv[0], (intmax_t) child_pid);\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid " /* Update the UID and GID maps in the child. */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" if (uid_map != NULL || map_zero) {\n"
+" snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n"
+" (intmax_t) child_pid);\n"
+" if (map_zero) {\n"
+" snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n"
+" (intmax_t) getuid());\n"
+" uid_map = map_buf;\n"
+" }\n"
+" update_map(uid_map, map_path);\n"
+" }\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" if (gid_map != NULL || map_zero) {\n"
+" proc_setgroups_write(child_pid, \"deny\");\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n"
+" (intmax_t) child_pid);\n"
+" if (map_zero) {\n"
+" snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n"
+" (intmax_t) getgid());\n"
+" gid_map = map_buf;\n"
+" }\n"
+" update_map(gid_map, map_path);\n"
+" }\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" /* Close the write end of the pipe, to signal to the child that we\n"
+" have updated the UID and GID maps. */\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid " close(args.pipe_fd[1]);\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" if (waitpid(child_pid, NULL, 0) == -1) /* Wait for child */\n"
+" err(EXIT_FAILURE, \"waitpid\");\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" if (verbose)\n"
+" printf(\"%s: terminating\\en\", argv[0]);\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+" exit(EXIT_SUCCESS);\n"
+"}\n"
+msgstr ""
+
+#. type: TH
+#: debian-unstable opensuse-tumbleweed
+#, no-wrap
+msgid "2023-05-03"
+msgstr ""
+
+#. type: TH
+#: debian-unstable opensuse-tumbleweed
+#, no-wrap
+msgid "Linux man-pages 6.05.01"
+msgstr ""
+
+#. type: TH
+#: opensuse-leap-15-6
+#, no-wrap
+msgid "2023-04-01"
+msgstr ""
+
+#. type: TH
+#: opensuse-leap-15-6
+#, no-wrap
+msgid "Linux man-pages 6.04"
+msgstr ""