# French translation of manpages
# This file is distributed under the same license as the manpages-l10n package.
# Copyright © of this file:
# Christophe Blaess <https://www.blaess.fr/christophe/>, 1996-2003.
# Stéphan Rafin <stephan.rafin@laposte.net>, 2002.
# Thierry Vignaud <tvignaud@mandriva.com>, 1999, 2002.
# François Micaux, 2002.
# Alain Portal <aportal@univ-montp2.fr>, 2003-2008.
# Jean-Philippe Guérard <fevrier@tigreraye.org>, 2005-2006.
# Jean-Luc Coulon (f5ibh) <jean-luc.coulon@wanadoo.fr>, 2006-2007.
# Julien Cristau <jcristau@debian.org>, 2006-2007.
# Thomas Huriaux <thomas.huriaux@gmail.com>, 2006-2008.
# Nicolas François <nicolas.francois@centraliens.net>, 2006-2008.
# Florentin Duneau <fduneau@gmail.com>, 2006-2010.
# Simon Paillard <simon.paillard@resel.enst-bretagne.fr>, 2006, 2013.
# Denis Barbier <barbier@debian.org>, 2006, 2010.
# David Prévot <david@tilapin.org>, 2010, 2012, 2013.
# Cédric Boutillier <cedric.boutillier@gmail.com>, 2011, 2012.
# Frédéric Hantrais <fhantrais@gmail.com>, 2013, 2014.
# Jean-Paul Guillonneau <guillonneau.jeanpaul@free.fr>, 2021, 2023.
msgid ""
msgstr ""
"Project-Id-Version: manpages-fr\n"
"POT-Creation-Date: 2024-03-01 17:13+0100\n"
"PO-Revision-Date: 2023-04-06 07:05+0200\n"
"Last-Translator: Jean-Paul Guillonneau <guillonneau.jeanpaul@free.fr>\n"
"Language-Team: French <debian-l10n-french@lists.debian.org>\n"
"Language: fr\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n > 1;\n"
"X-Generator: vim\n"

#. type: TH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "user_namespaces"
msgstr "user_namespaces"

#. type: TH
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "2023-10-31"
msgstr "31 octobre 2023"

#. type: TH
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "Linux man-pages 6.06"
msgstr "Pages du manuel de Linux 6.06"

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "NAME"
msgstr "NOM"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "user_namespaces - overview of Linux user namespaces"
msgstr ""
"user_namespaces — Présentation des espaces de noms utilisateur sous Linux"

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "DESCRIPTION"
msgstr "DESCRIPTION"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "For an overview of namespaces, see B<namespaces>(7)."
msgstr ""
"Pour une présentation générale des espaces de noms, consultez "
"B<namespaces>(7)."

#
#.  FIXME: This page says very little about the interaction
#.  of user namespaces and keys. Add something on this topic.
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"User namespaces isolate security-related identifiers and attributes, in "
"particular, user IDs and group IDs (see B<credentials>(7)), the root "
"directory, keys (see B<keyrings>(7)), and capabilities (see "
"B<capabilities>(7)).  A process's user and group IDs can be different inside "
"and outside a user namespace.  In particular, a process can have a normal "
"unprivileged user ID outside a user namespace while at the same time having "
"a user ID of 0 inside the namespace; in other words, the process has full "
"privileges for operations inside the user namespace, but is unprivileged for "
"operations outside the namespace."
msgstr ""
"Les espaces de noms utilisateur isolent les identifiants et attributs liés à "
"la sécurité, en particulier les identifiants d'utilisateurs et de groupes "
"(consultez B<credentials>(7)), le répertoire racine, les clefs (consultez "
"B<keyctl>(2)) et les capacités (consultez B<capabilities>(7)). Les "
"identifiants d'utilisateur et de groupe d'un processus peuvent être "
"différents selon que l'on se trouve à l'intérieur ou à l'extérieur d'un "
"espace de noms utilisateur. Un processus peut notamment avoir un identifiant "
"sans privilège particulier en dehors d'un espace de noms et avoir "
"l'identifiant 0 à l'intérieur d'un espace de noms. Autrement dit, le "
"processus dispose de tous les privilèges pour des opérations effectuées dans "
"l'espace de noms, tandis qu'il n'en a aucun pour les opérations réalisées en "
"dehors de l'espace de noms utilisateur."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Nested namespaces, namespace membership"
msgstr "Espaces de noms imbriqués, appartenance aux espaces de noms"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"User namespaces can be nested; that is, each user namespace\\[em]except the "
"initial (\"root\")  namespace\\[em]has a parent user namespace, and can have "
"zero or more child user namespaces.  The parent user namespace is the user "
"namespace of the process that creates the user namespace via a call to "
"B<unshare>(2)  or B<clone>(2)  with the B<CLONE_NEWUSER> flag."
msgstr ""
"Les espaces de noms utilisateur peuvent être imbriqués. Cela signifie que "
"chaque espace de noms utilisateur \\[em]\\ à l'exception de l'espace de noms "
"initial (« root »)\\ \\[em] a un espace de noms parent et peut avoir "
"éventuellement un ou plusieurs espaces de noms utilisateur enfant. L'espace "
"de noms utilisateur parent est l'espace de noms du processus qui a créé "
"l'espace de noms utilisateur au moyen de B<unshare>(2) ou de B<clone>(2) "
"invoqué avec l'attribut B<CLONE_NEWUSER>."

#.  commit 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
#.  FIXME Explain the rationale for this limit. (What is the rationale?)
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The kernel imposes (since Linux 3.11) a limit of 32 nested levels of user "
"namespaces.  Calls to B<unshare>(2)  or B<clone>(2)  that would cause this "
"limit to be exceeded fail with the error B<EUSERS>."
msgstr ""
"Le noyau impose (à partir de Linux 3.11) une limite de 32 niveaux "
"d'imbrication pour les espaces de noms utilisateur. Si un appel à "
"B<unshare>(2) ou à B<clone>(2) provoque le dépassement de cette limite, la "
"commande échoue en renvoyant l'erreur B<EUSERS>."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Each process is a member of exactly one user namespace.  A process created "
"via B<fork>(2)  or B<clone>(2)  without the B<CLONE_NEWUSER> flag is a "
"member of the same user namespace as its parent.  A single-threaded process "
"can join another user namespace with B<setns>(2)  if it has the "
"B<CAP_SYS_ADMIN> in that namespace; upon doing so, it gains a full set of "
"capabilities in that namespace."
msgstr ""
"Chaque processus est membre d'exactement un espace de noms utilisateur. Un "
"processus créé par B<fork>(2) ou par B<clone>(2) sans l'attribut "
"B<CLONE_NEWUSER> est membre du même espace de noms que son processus parent. "
"Un processus mono-threadé peut rejoindre un autre espace de noms en "
"utilisant B<setns>(2) s'il dispose de la capacité B<CAP_SYS_ADMIN> dans cet "
"espace de noms ; cette action lui octroie un ensemble de capacités dans cet "
"espace de noms."

#
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A call to B<clone>(2)  or B<unshare>(2)  with the B<CLONE_NEWUSER> flag "
"makes the new child process (for B<clone>(2))  or the caller (for "
"B<unshare>(2))  a member of the new user namespace created by the call."
msgstr ""
"Un appel à B<clone>(2) ou à B<unshare>(2) avec l'attribut B<CLONE_NEWUSER> "
"place le nouveau processus enfant (pour B<clone>(2)) ou l'appelant (pour "
"B<unshare>(2)) dans le nouvel espace de noms utilisateur créé par l'appel."

#
#. #-#-#-#-#  archlinux: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#. #-#-#-#-#  debian-bookworm: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#.  ============================================================
#. type: Plain text
#. #-#-#-#-#  debian-unstable: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#. #-#-#-#-#  fedora-40: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#. #-#-#-#-#  fedora-rawhide: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#. #-#-#-#-#  mageia-cauldron: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#. #-#-#-#-#  opensuse-leap-15-6: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#. #-#-#-#-#  opensuse-tumbleweed: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<NS_GET_PARENT> B<ioctl>(2)  operation can be used to discover the "
"parental relationship between user namespaces; see B<ioctl_ns>(2)."
msgstr ""
"L’opération B<ioctl>(2) B<NS_GET_PARENT> peut être utilisée pour découvrir "
"les relations de parenté entre les espaces de noms utilisateur. Consultez "
"B<ioctl_ns>(2)."

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A task that changes one of its effective IDs will have its dumpability reset "
"to the value in I</proc/sys/fs/suid_dumpable>.  This may affect the "
"ownership of proc files of child processes and may thus cause the parent to "
"lack the permissions to write to mapping files of child processes running in "
"a new user namespace.  In such cases making the parent process dumpable, "
"using B<PR_SET_DUMPABLE> in a call to B<prctl>(2), before creating a child "
"process in a new user namespace may rectify this problem.  See B<prctl>(2)  "
"and B<proc>(5)  for details on how ownership is affected."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Capabilities"
msgstr "Capacités"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The child process created by B<clone>(2)  with the B<CLONE_NEWUSER> flag "
"starts out with a complete set of capabilities in the new user namespace.  "
"Likewise, a process that creates a new user namespace using B<unshare>(2)  "
"or joins an existing user namespace using B<setns>(2)  gains a full set of "
"capabilities in that namespace.  On the other hand, that process has no "
"capabilities in the parent (in the case of B<clone>(2))  or previous (in the "
"case of B<unshare>(2)  and B<setns>(2))  user namespace, even if the new "
"namespace is created or joined by the root user (i.e., a process with user "
"ID 0 in the root namespace)."
msgstr ""
"Le processus enfant créé par B<clone>(2) avec l'attribut B<CLONE_NEWUSER> "
"s’initialise avec un nouvel ensemble de capacités dans le nouvel espace de "
"noms utilisateur. De même, un processus qui crée un nouvel espace de noms au "
"moyen de B<unshare>(2) ou qui rejoint un espace de noms existant à l’aide de "
"B<setns>(2) reçoit un ensemble de capacités dans cet espace de noms. D’un "
"autre côté, le processus n’a aucune capacité dans le parent (dans le cas de "
"B<clone>(2)) ou dans le précédent espace de noms utilisateur (dans le cas de "
"B<unshare>(2) et B<setns>(2)), même si le nouvel espace de noms utilisateur "
"est créé ou rejoint par l’utilisateur racine (c’est-à-dire un processus avec "
"l’ID utilisateur 0 dans l’espace de noms racine)."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Note that a call to B<execve>(2)  will cause a process's capabilities to be "
"recalculated in the usual way (see B<capabilities>(7)).  Consequently, "
"unless the process has a user ID of 0 within the namespace, or the "
"executable file has a nonempty inheritable capabilities mask, the process "
"will lose all capabilities.  See the discussion of user and group ID "
"mappings, below."
msgstr ""
"Remarquez qu'un appel à B<execve>(2) déclenche la réévaluation des capacités "
"selon la méthode habituelle (consultez B<capabilities>(7)), de sorte que le "
"processus perdra ses capacités, sauf si son identifiant utilisateur vaut 0 "
"dans l'espace de noms ou si le fichier exécutable a un masque de capacités "
"héritable non vide. Pour en savoir plus, consultez les commentaires sur le "
"mappage entre utilisateurs et groupes ci-dessous."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A call to B<clone>(2)  or B<unshare>(2)  using the B<CLONE_NEWUSER> flag or "
"a call to B<setns>(2)  that moves the caller into another user namespace "
"sets the \"securebits\" flags (see B<capabilities>(7))  to their default "
"values (all flags disabled) in the child (for B<clone>(2))  or caller (for "
"B<unshare>(2)  or B<setns>(2)).  Note that because the caller no longer has "
"capabilities in its original user namespace after a call to B<setns>(2), it "
"is not possible for a process to reset its \"securebits\" flags while "
"retaining its user namespace membership by using a pair of B<setns>(2)  "
"calls to move to another user namespace and then return to its original user "
"namespace."
msgstr ""
"Un appel à B<clone>(2) ou B<unshare>(2) en utilisant l'attribut "
"B<CLONE_NEWUSER> ou un appel à B<setns>(2) qui déplace l’appelant dans "
"d’autres jeux d’espaces de noms utilisateur positionne les indicateurs "
"« securebits » (consultez B<capabilities>(7)) à leurs valeurs par défaut "
"(tous les indicateurs désactivés) dans l’enfant (pour B<clone>(2)) ou "
"l’appelant (pour B<unshare>(2) ou B<setns>(2)). Remarquez que parce que "
"l’appelant n’a plus de capacités dans son espace de noms utilisateur après "
"un appel à B<setns>(2), il n’est pas possible à un processus de "
"réinitialiser ses indicateurs « securebits » tout en conservant son "
"appartenance à un espace de noms utilisateur en utilisant une paire d’appels "
"B<setns>(2) pour se déplacer vers un autre espace de noms utilisateur et "
"ensuite retourner vers son espace de noms utilisateur original."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The rules for determining whether or not a process has a capability in a "
"particular user namespace are as follows:"
msgstr ""
"Les règles pour déterminer si un processus a ou n’a pas de capacités dans un "
"espace de noms utilisateur particulier sont comme suit :"

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "\\[bu]"
msgstr "-"

#.  In the 3.8 sources, see security/commoncap.c::cap_capable():
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A process has a capability inside a user namespace if it is a member of that "
"namespace and it has the capability in its effective capability set.  A "
"process can gain capabilities in its effective capability set in various "
"ways.  For example, it may execute a set-user-ID program or an executable "
"with associated file capabilities.  In addition, a process may gain "
"capabilities via the effect of B<clone>(2), B<unshare>(2), or B<setns>(2), "
"as already described."
msgstr ""
"Un processus dispose d'une capacité dans un espace de noms utilisateur s'il "
"est membre de cet espace de noms et si cette capacité est activée dans son "
"jeu de capacités. Un processus peut obtenir une nouvelle capacité dans son "
"jeu de capacités de plusieurs façons. Il peut, par exemple, exécuter un "
"programme set-user-ID ou un exécutable avec des capacités de fichier "
"associées. Il peut également obtenir des capacités à l’aide de l'action de "
"B<clone>(2), B<unshare>(2) ou B<setns>(2) comme indiqué précédemment."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If a process has a capability in a user namespace, then it has that "
"capability in all child (and further removed descendant)  namespaces as well."
msgstr ""
"Si un processus dispose d'une capacité dans un espace de noms utilisateur, "
"alors il a cette même capacité dans tous les espaces de noms enfant (et les "
"espaces descendants supprimés)."

#
#.  * The owner of the user namespace in the parent of the
#.  * user namespace has all caps.
#.  (and likewise associates the effective group ID of the creating process
#.  with the namespace).
#.  See kernel commit 520d9eabce18edfef76a60b7b839d54facafe1f9 for a fix
#.  on this point
#.      This includes the case where the process executes a set-user-ID
#.      program that confers the effective UID of the creator of the namespace.
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a user namespace is created, the kernel records the effective user ID "
"of the creating process as being the \"owner\" of the namespace.  A process "
"that resides in the parent of the user namespace and whose effective user ID "
"matches the owner of the namespace has all capabilities in the namespace.  "
"By virtue of the previous rule, this means that the process has all "
"capabilities in all further removed descendant user namespaces as well.  The "
"B<NS_GET_OWNER_UID> B<ioctl>(2)  operation can be used to discover the user "
"ID of the owner of the namespace; see B<ioctl_ns>(2)."
msgstr ""
"Lorsqu'un espace de noms est créé, le noyau enregistre l'identifiant "
"utilisateur effectif du processus de création comme étant le "
"« propriétaire » de l'espace de noms. Un processus qui se trouve dans le "
"parent d'un espace de noms utilisateur et qui a un identifiant utilisateur "
"effectif qui correspond au propriétaire de l'espace de noms dispose de "
"toutes les capacités dans cet espace de noms. En vertu de la règle "
"précédente, cela signifie que ce processus a également toutes les capacités "
"dans tous les descendants supprimés de cet espace de noms. L’opération "
"B<NS_GET_OWNER_UID> d’B<ioctl>(2) peut être utilisée pour découvrir l’ID "
"d’utilisateur du propriétaire de l’espace de noms. Consultez B<ioctl_ns>(2)."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Effect of capabilities within a user namespace"
msgstr "Effet des capacités à l’intérieur d’un espace de noms utilisateur"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Having a capability inside a user namespace permits a process to perform "
"operations (that require privilege)  only on resources governed by that "
"namespace.  In other words, having a capability in a user namespace permits "
"a process to perform privileged operations on resources that are governed by "
"(nonuser)  namespaces owned by (associated with) the user namespace (see the "
"next subsection)."
msgstr ""
"Un processus qui possède des capacités dans un espace de noms utilisateur a "
"la possibilité d'effectuer des opérations (nécessitant des privilèges) "
"seulement sur les ressources gérées par cet espace de noms. En d’autres "
"mots, avoir une capacité dans un espace de noms permet à un processus de "
"réaliser des opérations privilégiées sur des ressources gérées par des "
"espaces de noms (non utilisateur) possédés par (associés avec) l’espace de "
"noms utilisateur (consultez la sous-section suivante)."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"On the other hand, there are many privileged operations that affect "
"resources that are not associated with any namespace type, for example, "
"changing the system (i.e., calendar) time (governed by B<CAP_SYS_TIME>), "
"loading a kernel module (governed by B<CAP_SYS_MODULE>), and creating a "
"device (governed by B<CAP_MKNOD>).  Only a process with privileges in the "
"I<initial> user namespace can perform such operations."
msgstr ""
"D’un autre coté, il existe beaucoup d’opérations privilégiées affectant les "
"ressources qui ne sont associées à aucun type d’espace de noms, par exemple, "
"modifier l’heure du système (c’est-à-dire le calendrier) (régi par "
"B<CAP_SYS_TIME>), charger un module du noyau (régi par B<CAP_SYS_MODULE>) et "
"créer un périphérique (régi par B<CAP_MKNOD>). Seuls les processus avec "
"privilèges dans l’espace de noms I<initial> peuvent réaliser de telles "
"opérations."

#.  fs_flags = FS_USERNS_MOUNT in kernel sources
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Holding B<CAP_SYS_ADMIN> within the user namespace that owns a process's "
"mount namespace allows that process to create bind mounts and mount the "
"following types of filesystems:"
msgstr ""
"Avoir B<CAP_SYS_ADMIN> dans un espace de noms utilisateur qui possède un "
"espace de noms de montage de processus permet à ce processus de créer des "
"remontages (bind mount) et de monter les types suivants de système de "
"fichiers :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I</proc> (since Linux 3.8)"
msgstr "I</proc/> (depuis Linux 3.8)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I</sys> (since Linux 3.8)"
msgstr "I</sys> (depuis Linux 3.8)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<devpts> (since Linux 3.9)"
msgstr "I<devpts> (depuis Linux 3.9)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "B<tmpfs>(5)  (since Linux 3.9)"
msgstr "B<tmpfs>(5) (depuis Linux 3.9)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<ramfs> (since Linux 3.9)"
msgstr "I<ramfs> (depuis Linux 3.9)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<mqueue> (since Linux 3.9)"
msgstr "I<mqueue> (depuis Linux 3.9)"

#.  commit b2197755b2633e164a439682fb05a9b5ea48f706
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<bpf> (since Linux 4.4)"
msgstr "I<bpf> (depuis Linux 4.4)"

#.  commit 92dbc9dedccb9759c7f9f2f0ae6242396376988f
#.  commit 4cb2c00c43b3fe88b32f29df4f76da1b92c33224
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<overlayfs> (since Linux 5.11)"
msgstr "I<overlayfs> (depuis Linux 5.11)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Holding B<CAP_SYS_ADMIN> within the user namespace that owns a process's "
"cgroup namespace allows (since Linux 4.6)  that process to the mount the "
"cgroup version 2 filesystem and cgroup version 1 named hierarchies (i.e., "
"cgroup filesystems mounted with the I<\"none,name=\"> option)."
msgstr ""
"Avoir B<CAP_SYS_ADMIN> dans l’espace de noms utilisateur qui possède un "
"espace de noms cgroup de processus permet (depuis Linux 4.6) à ce processus "
"de monter un système de fichiers cgroup version 2 ou cgroup version 1 "
"appelés hiérarchies (c’est-à-dire des systèmes de fichiers cgroup avec "
"l’option « I<none,name=> »)."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Holding B<CAP_SYS_ADMIN> within the user namespace that owns a process's PID "
"namespace allows (since Linux 3.8)  that process to mount I</proc> "
"filesystems."
msgstr ""
"Avoir B<CAP_SYS_ADMIN> dans un espace de noms utilisateur qui possède un "
"espace de noms PID de processus permet (depuis Linux 3.8) à ce processus de "
"monter des systèmes de fichiers I</proc>."

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Note, however, that mounting block-based filesystems can be done only by a "
"process that holds B<CAP_SYS_ADMIN> in the initial user namespace."
msgstr ""
"Remarquez cependant que le montage de systèmes de fichiers basés sur les "
"blocs peut être réalisé seulement par un processus ayant B<CAP_SYS_ADMIN> "
"dans l’espace de noms utilisateur initial."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Interaction of user namespaces and other types of namespaces"
msgstr "Liens entre les espaces de noms utilisateur et les autres espaces de noms"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Starting in Linux 3.8, unprivileged processes can create user namespaces, "
"and the other types of namespaces can be created with just the "
"B<CAP_SYS_ADMIN> capability in the caller's user namespace."
msgstr ""
"À partir de Linux 3.8, les processus sans privilèges peuvent créer des "
"espaces de noms utilisateur et les autres espaces de noms peuvent être créés "
"avec simplement la capacité B<CAP_SYS_ADMIN> dans l'espace de noms "
"utilisateur de l'appelant."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a nonuser namespace is created, it is owned by the user namespace in "
"which the creating process was a member at the time of the creation of the "
"namespace.  Privileged operations on resources governed by the nonuser "
"namespace require that the process has the necessary capabilities in the "
"user namespace that owns the nonuser namespace."
msgstr ""
"Lorsqu'un espace de noms autre qu'utilisateur est créé, il appartient à "
"l'espace de noms utilisateur auquel appartenait à ce moment là le processus "
"à l'origine de la création de cet espace de noms. Les opérations "
"privilégiées sur des ressources régies par un espace de noms non utilisateur "
"nécessitent que le processus aient les capacités requises dans l’espace de "
"noms utilisateur qui possède l’espace de noms non utilisateur."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If B<CLONE_NEWUSER> is specified along with other B<CLONE_NEW*> flags in a "
"single B<clone>(2)  or B<unshare>(2)  call, the user namespace is guaranteed "
"to be created first, giving the child (B<clone>(2))  or caller "
"(B<unshare>(2))  privileges over the remaining namespaces created by the "
"call.  Thus, it is possible for an unprivileged caller to specify this "
"combination of flags."
msgstr ""
"Si B<CLONE_NEWUSER> est indiqué en complément de l'attribut B<CLONE_NEW*> "
"lors d'un appel simple à B<clone>(2) ou à B<unshare>(2), l'espace de noms "
"utilisateur est garanti d'être créé en premier. Cela donne des privilèges à "
"l’enfant (dans le cas de B<clone>(2)) ou à l'appelant (dans le cas de "
"B<unshare>(2)) dans les espaces de noms subsistants créés par l'appel. Il "
"est ainsi possible à un appelant sans privilèges d'indiquer ce jeu "
"d'attributs."

#
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a new namespace (other than a user namespace) is created via "
"B<clone>(2)  or B<unshare>(2), the kernel records the user namespace of the "
"creating process as the owner of the new namespace.  (This association can't "
"be changed.)  When a process in the new namespace subsequently performs "
"privileged operations that operate on global resources isolated by the "
"namespace, the permission checks are performed according to the process's "
"capabilities in the user namespace that the kernel associated with the new "
"namespace.  For example, suppose that a process attempts to change the "
"hostname (B<sethostname>(2)), a resource governed by the UTS namespace.  In "
"this case, the kernel will determine which user namespace owns the process's "
"UTS namespace, and check whether the process has the required capability "
"(B<CAP_SYS_ADMIN>)  in that user namespace."
msgstr ""
"Lorsqu'un nouvel espace de noms (autre qu’un espace de noms utilisateur) est "
"créé à l’aide de B<clone>(2) ou B<unshare>(2), le noyau enregistre l'espace "
"de noms utilisateur du processus créateur comme le propriétaire du nouvel "
"espace de noms. (Cette association ne peut pas être changée). Lorsqu'un "
"processus du nouvel espace de noms effectue ensuite une opération "
"privilégiée sur une ressource globale isolée par l'espace de noms, les "
"vérifications de permissions sont réalisées en fonction des capacités du "
"processus dans l'espace de noms utilisateur que le noyau a associé au nouvel "
"espace de noms. Par exemple, supposons qu’un processus essaie de modifier le "
"nom d’hôte (B<sethostname>(2)), une ressource régie par l’espace de noms "
"UTS. Dans ce cas le noyau déterminera quel espace de noms utilisateur "
"possède l’espace de noms UTS du processus et vérifiera si le processus à la "
"capacité requise (B<CAP_SYS_ADMIN>) dans cet espace de noms utilisateur."

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<NS_GET_USERNS> B<ioctl>(2)  operation can be used to discover the user "
"namespace that owns a nonuser namespace; see B<ioctl_ns>(2)."
msgstr ""
"L’opération B<NS_GET_USERNS> d’B<ioctl>(2) peut être utilisée pour découvrir "
"l’espace de noms utilisateur possédant l’espace de noms non utilisateur. "
"Consultez B<ioctl_ns>(2)."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "User and group ID mappings: uid_map and gid_map"
msgstr "Correspondance des identifiants d'utilisateur et de groupe : uid_map et gid_map"

#.  commit 22d917d80e842829d0ca0a561967d728eb1d6303
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a user namespace is created, it starts out without a mapping of user "
"IDs (group IDs)  to the parent user namespace.  The I</proc/>pidI</uid_map> "
"and I</proc/>pidI</gid_map> files (available since Linux 3.5)  expose the "
"mappings for user and group IDs inside the user namespace for the process "
"I<pid>.  These files can be read to view the mappings in a user namespace "
"and written to (once) to define the mappings."
msgstr ""
"Lorsqu'un espace de noms utilisateur est créé, il s'initialise sans établir "
"de mappage entre ses identifiants utilisateurs (identifiants de groupes) et "
"ceux de l'espace de noms parent. Les fichiers I</proc/>pidI</uid_map> et I</"
"proc/>pidI</gid_map> présentent (à partir de Linux 3.5) le mappage entre "
"identifiants utilisateur et groupe à l'intérieur de l'espace de noms "
"utilisateur pour le processus I<pid>. Ces fichiers peuvent être consultés "
"pour prendre connaissance des mappages dans un espace de noms utilisateur et "
"peuvent être modifiés (une seule fois) pour définir les mappages."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The description in the following paragraphs explains the details for "
"I<uid_map>; I<gid_map> is exactly the same, but each instance of \"user ID\" "
"is replaced by \"group ID\"."
msgstr ""
"Les paragraphes suivants décrivent I<uid_map> en détails. I<gid_map> est "
"parfaitement analogue, chaque instance de « identifiant utilisateur » étant "
"remplacée par « identifiant groupe »."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The I<uid_map> file exposes the mapping of user IDs from the user namespace "
"of the process I<pid> to the user namespace of the process that opened "
"I<uid_map> (but see a qualification to this point below).  In other words, "
"processes that are in different user namespaces will potentially see "
"different values when reading from a particular I<uid_map> file, depending "
"on the user ID mappings for the user namespaces of the reading processes."
msgstr ""
"Le fichier I<uid_map> présente le mappage entre les identifiants utilisateur "
"de l'espace de noms utilisateur du processus I<pid> et ceux de l'espace de "
"noms utilisateur du processus qui a ouvert I<uid_map> (mais consultez la "
"réserve concernant ce point exposée ci-dessous). En d'autres termes, des "
"processus qui se trouvent dans différents espaces de noms verront des "
"valeurs différentes lors de la lecture d'un fichier I<uid_map> selon les "
"mappages des identifiants utilisateur pour l'espace de noms utilisateur du "
"processus qui effectue la lecture."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Each line in the I<uid_map> file specifies a 1-to-1 mapping of a range of "
"contiguous user IDs between two user namespaces.  (When a user namespace is "
"first created, this file is empty.)  The specification in each line takes "
"the form of three numbers delimited by white space.  The first two numbers "
"specify the starting user ID in each of the two user namespaces.  The third "
"number specifies the length of the mapped range.  In detail, the fields are "
"interpreted as follows:"
msgstr ""
"Chaque ligne du fichier I<uid_map> affiche un mappage un-pour-un d'un "
"intervalle d'identifiants utilisateur contigus de deux espaces de noms "
"utilisateur. Lorsqu'un espace de noms utilisateur vient d'être créé, ce "
"fichier est vide. Chaque ligne contient trois nombres délimités par des "
"espaces. Les deux premiers nombres indiquent les premiers identifiants "
"utilisateur de chacun des deux espaces de noms. Le troisième nombre indique "
"la longueur de l'intervalle de mappage. Plus précisément, les champs sont "
"interprétés de la façon suivante :"

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(1)"
msgstr "(1)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The start of the range of user IDs in the user namespace of the process "
"I<pid>."
msgstr ""
"Le début de l'intervalle d'identifiants utilisateur dans l'espace de noms "
"utilisateur du processus I<pid>."

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(2)"
msgstr "(2)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The start of the range of user IDs to which the user IDs specified by field "
"one map.  How field two is interpreted depends on whether the process that "
"opened I<uid_map> and the process I<pid> are in the same user namespace, as "
"follows:"
msgstr ""
"Le début de l'intervalle d'identifiants utilisateur auquel mappe "
"l'identifiant utilisateur indiqué dans le premier champ. Selon que le "
"processus qui a ouvert le fichier I<uid_map> et le processus I<pid> sont ou "
"non dans le même espace de noms, le deuxième champ est interprété de l'une "
"des façons suivantes :"

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(a)"
msgstr "(a)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the two processes are in different user namespaces: field two is the "
"start of a range of user IDs in the user namespace of the process that "
"opened I<uid_map>."
msgstr ""
"Si les deux processus sont dans différents espaces de noms utilisateur : le "
"deuxième champ est le début de l'intervalle d'identifiants utilisateur dans "
"l'espace de noms utilisateur du processus qui a ouvert I<uid_map>."

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(b)"
msgstr "(b)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the two processes are in the same user namespace: field two is the start "
"of the range of user IDs in the parent user namespace of the process "
"I<pid>.  This case enables the opener of I<uid_map> (the common case here is "
"opening I</proc/self/uid_map>)  to see the mapping of user IDs into the user "
"namespace of the process that created this user namespace."
msgstr ""
"Si les deux processus sont dans le même espace de noms utilisateur : le "
"second champ correspond au début de la séquence d'identifiants utilisateur "
"dans l'espace de noms utilisateur parent du processus I<pid>. Cela permet au "
"processus qui a ouvert I<uid_map> (généralement, le processus ouvre I</proc/"
"self/uid_map>) de voir le mappage des identifiants utilisateur dans l'espace "
"de noms utilisateur du processus qui a créé cet espace de noms utilisateur."

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(3)"
msgstr "(3)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The length of the range of user IDs that is mapped between the two user "
"namespaces."
msgstr ""
"La longueur de l'intervalle des identifiants utilisateur qui est mappé entre "
"les deux espaces de noms utilisateur."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"System calls that return user IDs (group IDs)\\[em]for example, "
"B<getuid>(2), B<getgid>(2), and the credential fields in the structure "
"returned by B<stat>(2)\\[em]return the user ID (group ID) mapped into the "
"caller's user namespace."
msgstr ""
"Les appels système qui renvoient des identifiants utilisateur (des "
"identifiant de groupes) \\[em] comme par exemple, B<getuid>(2), "
"B<getgid>(2), et les champs relatifs aux droits dans la structure renvoyée "
"par B<stat>(2) \\[em] affichent la valeur de l'identifiant utilisateur "
"(l'identifiant de groupe) mappé dans l'espace de noms utilisateur de "
"l'appelant."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a process accesses a file, its user and group IDs are mapped into the "
"initial user namespace for the purpose of permission checking and assigning "
"IDs when creating a file.  When a process retrieves file user and group IDs "
"via B<stat>(2), the IDs are mapped in the opposite direction, to produce "
"values relative to the process user and group ID mappings."
msgstr ""
"Lorsqu'un processus accède à un fichier, ses identifiant utilisateur et "
"groupe sont mappés dans l’espace de noms utilisateur initial pour pouvoir "
"vérifier les droits ou pour assigner des identifiants lors de la création "
"d'un fichier. Lorsqu'un processus obtient les identifiants utilisateur et "
"groupe d'un fichier par la commande B<stat>(2), les identifiants sont "
"évalués dans le sens inverse, afin de renvoyer les valeurs relatives aux "
"mappages des ID utilisateur et de groupe du processus."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The initial user namespace has no parent namespace, but, for consistency, "
"the kernel provides dummy user and group ID mapping files for this "
"namespace.  Looking at the I<uid_map> file (I<gid_map> is the same) from a "
"shell in the initial namespace shows:"
msgstr ""
"L'espace de noms utilisateur initial n'a pas d'espace de noms parent, mais "
"pour conserver la cohérence, le noyau lui attribue des fichiers de mappage "
"d'identifiants utilisateur et groupe factices pour cet espace de noms. Si "
"l'on consulte le fichier I<uid_map> (ou I<gid_map> de la même façon) depuis "
"une invite de commande dans l'espace de noms initial, on peut voir : "

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<cat /proc/$$/uid_map>\n"
"         0          0 4294967295\n"
msgstr ""
"$ B<cat /proc/$$/uid_map>\n"
"         0          0 4294967295\n"

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This mapping tells us that the range starting at user ID 0 in this namespace "
"maps to a range starting at 0 in the (nonexistent) parent namespace, and the "
"length of the range is the largest 32-bit unsigned integer.  This leaves "
"4294967295 (the 32-bit signed -1 value) unmapped.  This is deliberate: "
"I<(uid_t)\\~-1> is used in several interfaces (e.g., B<setreuid>(2))  as a "
"way to specify \"no user ID\".  Leaving I<(uid_t)\\~-1> unmapped and "
"unusable guarantees that there will be no confusion when using these "
"interfaces."
msgstr ""
"Ce mappage nous indique que l'intervalle commençant avec l'identifiant "
"utilisateur 0 dans cet espace de noms mappe avec un intervalle commençant "
"à 0 dans l'espace de noms parent (qui n'existe pas), et que la longueur de "
"cet intervalle est la valeur du plus grand entier 32 bits non signé. Cela "
"laisse 4294967295 (la valeur 32 bits signé moins 1) non mappé. Cela est "
"voulu : I<(uid_t)\\~-1> est utilisé dans plusieurs interfaces (par exemple, "
"B<setreuid>(2)) comme façon d’indiquer « pas d’ID utilisateur ». Laisser "
"I<(uid_t)\\~-1> non mappé et inutilisable garantit qu’il n’y aura aucune "
"confusion lors de l’utilisation de ces interfaces."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Defining user and group ID mappings: writing to uid_map and gid_map"
msgstr "Création des mappages d'ID utilisateur et groupe : écriture dans uid_map et gid_map"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"After the creation of a new user namespace, the I<uid_map> file of I<one> of "
"the processes in the namespace may be written to I<once> to define the "
"mapping of user IDs in the new user namespace.  An attempt to write more "
"than once to a I<uid_map> file in a user namespace fails with the error "
"B<EPERM>.  Similar rules apply for I<gid_map> files."
msgstr ""
"Après la création d'un nouvel espace de noms utilisateur, le fichier "
"I<uid_map> de l'I<un> des processus de l'espace de noms peut être ouvert en "
"écriture I<une seule fois> pour y consigner le mappage des identifiants "
"utilisateur dans le nouvel espace de noms utilisateur. Toute tentative "
"d'écrire plus d'une fois dans un fichier I<uid_map> se solde par un échec "
"qui renvoie l'erreur B<EPERM>. Des règles analogues s'appliquent aux "
"fichiers I<gid_map>."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The lines written to I<uid_map> (I<gid_map>)  must conform to the following "
"validity rules:"
msgstr ""
"Les lignes inscrites dans I<uid_map> (I<gid_map>) doivent suivre les règles "
"de validité suivantes :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The three fields must be valid numbers, and the last field must be greater "
"than 0."
msgstr ""
"Les trois champs doivent être des nombres valables et le dernier champ doit "
"être strictement positif."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Lines are terminated by newline characters."
msgstr "Les lignes doivent se terminer par un saut de ligne."

#.  5*12-byte records could fit in a 64B cache line
#.  commit 6397fac4915ab3002dc15aae751455da1a852f25
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"There is a limit on the number of lines in the file.  In Linux 4.14 and "
"earlier, this limit was (arbitrarily)  set at 5 lines.  Since Linux 4.15, "
"the limit is 340 lines.  In addition, the number of bytes written to the "
"file must be less than the system page size, and the write must be performed "
"at the start of the file (i.e., B<lseek>(2)  and B<pwrite>(2)  can't be used "
"to write to nonzero offsets in the file)."
msgstr ""
"Il y a une limite (arbitraire) du nombre de lignes que peut contenir le "
"fichier. Dans Linux 4.14 et précédents, la limite est (arbitrairement) de "
"5 lignes. Depuis Linux 4.15, la limite est de 340 lignes. En outre, le "
"nombre d'octets inscrits dans le fichier doit être inférieur à la taille "
"d'une page du système, et l'écriture doit être réalisée au début du fichier "
"(c’est-à-dire B<lseek>(2) et B<pwrite>(2) ne peuvent être utilisées pour "
"écrire dans le fichier avec un décalage non nul)."

#.  commit 0bd14b4fd72afd5df41e9fd59f356740f22fceba
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The range of user IDs (group IDs)  specified in each line cannot overlap "
"with the ranges in any other lines.  In the initial implementation (Linux "
"3.8), this requirement was satisfied by a simplistic implementation that "
"imposed the further requirement that the values in both field 1 and field 2 "
"of successive lines must be in ascending numerical order, which prevented "
"some otherwise valid maps from being created.  Linux 3.9 and later fix this "
"limitation, allowing any valid set of nonoverlapping maps."
msgstr ""
"L'intervalle d'identifiants utilisateur (ou de groupe) indiqué dans chaque "
"ligne ne peut recouvrir les intervalles des autres lignes. Dans "
"l'implémentation initiale (Linux 3.8), cette règle était assurée par une "
"implémentation plus sommaire qui comprenait une contrainte supplémentaire : "
"les deux premiers champs de chaque ligne devaient apparaître en ordre "
"croissant. Cela empêchait cependant la création de mappages valables. Ce "
"problème a été réglé dans Linux 3.9 et suivants, et toutes les combinaisons "
"valables de mappages non recouvrantes sont désormais acceptées."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "At least one line must be written to the file."
msgstr "Au moins une ligne doit être inscrite dans le fichier."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Writes that violate the above rules fail with the error B<EINVAL>."
msgstr ""
"Les opérations d'écritures qui ne respectent pas les règles énoncées "
"précédemment échouent en renvoyant l'erreur B<EINVAL>."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In order for a process to write to the I</proc/>pidI</uid_map> (I</proc/"
">pidI</gid_map>)  file, all of the following permission requirements must be "
"met:"
msgstr ""
"Un processus ne peut écrire dans le fichier I</proc/>pidI</uid_map> (I</proc/"
">pidI</gid_map>) qu'à la condition de respecter les contraintes suivantes :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The writing process must have the B<CAP_SETUID> (B<CAP_SETGID>)  capability "
"in the user namespace of the process I<pid>."
msgstr ""
"Le processus réalisant l'écriture doit disposer de la capacité B<CAP_SETUID> "
"(B<CAP_SETGID>) dans l'espace de noms utilisateur du processus I<pid>."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The writing process must either be in the user namespace of the process "
"I<pid> or be in the parent user namespace of the process I<pid>."
msgstr ""
"Le processus réalisant l'écriture doit se trouver soit dans l'espace de noms "
"utilisateur du processus I<pid>, soit dans l'espace de noms utilisateur "
"parent du processus I<pid>."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The mapped user IDs (group IDs) must in turn have a mapping in the parent "
"user namespace."
msgstr ""
"Les identifiants utilisateur (ou groupe) mappés doivent, en retour, avoir un "
"mappage dans l'espace de noms utilisateur parent."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If updating I</proc/>pidI</uid_map> to create a mapping that maps UID 0 in "
"the parent namespace, then one of the following must be true:"
msgstr ""
"Pour une mise à jour de I</proc/>pidI</uid_map> pour créer un mappage pour "
"l’UID\\ 0 dans l’espace de noms parent, une des propositions suivantes doit "
"être vraie\\ :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"if writing process is in the parent user namespace, then it must have the "
"B<CAP_SETFCAP> capability in that user namespace; or"
msgstr ""
"si le processus écrivain est dans l’espace de noms utilisateur parent, il "
"doit disposer de la capacité B<CAP_SETUID>\\ ;"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"if the writing process is in the child user namespace, then the process that "
"created the user namespace must have had the B<CAP_SETFCAP> capability when "
"the namespace was created."
msgstr ""
"si le processus écrivain est dans l’espace de noms enfant, alors le "
"processus ayant créé l’espace de noms utilisateur doit avoir la capacité "
"B<CAP_SETFCAP> lors de la création de l’espace de noms."

#.  commit db2e718a47984b9d71ed890eb2ea36ecf150de18
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This rule has been in place since Linux 5.12.  It eliminates an earlier "
"security bug whereby a UID 0 process that lacks the B<CAP_SETFCAP> "
"capability, which is needed to create a binary with namespaced file "
"capabilities (as described in B<capabilities>(7)), could nevertheless create "
"such a binary, by the following steps:"
msgstr ""
"Cette règle a été mise en place depuis Linux\\ 5.12. Elle supprime un bogue "
"de sécurité précédent à cause duquel un processus d’UID\\ 0 n’ayant pas la "
"capacité B<CAP_SETFCAP>, qui est nécessaire pour créer un binaire avec les "
"capacités de fichier d’un certain espace de noms (comme décrit dans "
"B<capabilities>(7)), pouvait néanmoins créer un tel binaire en effectuant "
"les étapes suivantes\\ :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Create a new user namespace with the identity mapping (i.e., UID 0 in the "
"new user namespace maps to UID 0 in the parent namespace), so that UID 0 in "
"both namespaces is equivalent to the same root user ID."
msgstr ""
"Créer un nouvel espace de noms utilisateur avec le mappage d’identifiant "
"(c’est-à-dire, UID\\ 0 dans le nouvel espace de noms utilisateur correspond "
"à l’UID\\ 0 dans l’espace de noms parent), ainsi cet UID\\ 0 dans les deux "
"espaces de noms est équivalent au même ID de superutilisateur."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Since the child process has the B<CAP_SETFCAP> capability, it could create a "
"binary with namespaced file capabilities that would then be effective in the "
"parent user namespace (because the root user IDs are the same in the two "
"namespaces)."
msgstr ""
"Puisque le processus enfant a la capacité B<CAP_SETFCAP>, il peut créer un "
"binaire avec les capacités de fichier d’un certain espace de noms qui serait "
"alors disponible dans l’espace de noms parent (parce que les ID du "
"superutilisateur sont les mêmes dans les deux espaces de noms)."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "One of the following two cases applies:"
msgstr "L'un des deux points suivants est vérifié :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"I<Either> the writing process has the B<CAP_SETUID> (B<CAP_SETGID>)  "
"capability in the I<parent> user namespace."
msgstr ""
"I<soit> le processus réalisant l'écriture doit disposer de la capacité "
"B<CAP_SETUID> ( B<CAP_SETGID>) dans l'espace de noms utilisateur I<parent>."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"No further restrictions apply: the process can make mappings to arbitrary "
"user IDs (group IDs)  in the parent user namespace."
msgstr ""
"Aucune autre restriction, le processus peut établir des mappages vers les ID "
"utilisateur (groupe) dans l’espace de noms parent."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<Or> otherwise all of the following restrictions apply:"
msgstr "I<Ou> sinon toutes les restrictions suivantes s’appliquent :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The data written to I<uid_map> (I<gid_map>)  must consist of a single line "
"that maps the writing process's effective user ID (group ID) in the parent "
"user namespace to a user ID (group ID)  in the user namespace."
msgstr ""
"Les données inscrites dans I<uid_map> (I<gid_map>) doivent consister en une "
"seule ligne qui mappe l'identifiant utilisateur effectif (groupe) du "
"processus écrivant dans l’espace de noms utilisateur parent à un ID "
"utilisateur (groupe) dans l’espace de noms utilisateur."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The writing process must have the same effective user ID as the process that "
"created the user namespace."
msgstr ""
"Le processus réalisant l'écriture doit avoir le même ID utilisateur effectif "
"que le processus ayant créé l’espace de noms utilisateur."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In the case of I<gid_map>, use of the B<setgroups>(2)  system call must "
"first be denied by writing \\[dq]I<deny>\\[dq] to the I</proc/>pidI</"
"setgroups> file (see below) before writing to I<gid_map>."
msgstr ""
"Dans le cas de I<gid_map>, l’utilisation de l’appel système B<setgroups>(2) "
"doit être d’abord interdit en écrivant « I<deny> » dans le fichier I</proc/"
">pidI</setgroups> (voir ci-dessous) avant d’écrire dans I<gid_map>."

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Writes that violate the above rules fail with the error B<EPERM>."
msgstr "Les écritures violant ces règles échouent avec l’erreur B<EPERM>."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Project ID mappings: projid_map"
msgstr "Mappages d’ID de projet : projid_map"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Similarly to user and group ID mappings, it is possible to create project ID "
"mappings for a user namespace.  (Project IDs are used for disk quotas; see "
"B<setquota>(8)  and B<quotactl>(2).)"
msgstr ""
"De la même manière que pour les mappages d’ID d’utilisateur et de groupe, il "
"est possible de créer des mappages d’ID de projet pour un espace de noms "
"utilisateur (les ID de projets sont utilisés pour des quotas de disque, "
"consulter B<setquota>(8) et B<quotactl>(2))."

#.  commit f76d207a66c3a53defea67e7d36c3eb1b7d6d61d
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Project ID mappings are defined by writing to the I</proc/>pidI</projid_map> "
"file (present since Linux 3.7)."
msgstr ""
"Les mappages d’ID de projet sont définis par des écritures dans le fichier "
"I</proc/>pidI</projid_map> (présent depuis Linux\\ 3.7)."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The validity rules for writing to the I</proc/>pidI</projid_map> file are as "
"for writing to the I<uid_map> file; violation of these rules causes "
"B<write>(2)  to fail with the error B<EINVAL>."
msgstr ""
"Les règles de validité pour écrire dans le fichier I</proc/>pidI</"
"projid_map> sont les mêmes que pour le fichier I<uid_map>. Une violation de "
"ces règles provoque l'échec de B<write>(2) avec l’erreur B<EINVAL>."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The permission rules for writing to the I</proc/>pidI</projid_map> file are "
"as follows:"
msgstr ""
"Les règles de permission pour écrire dans le fichier I</proc/>pidI</"
"projid_map> sont les suivantes\\ :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The mapped project IDs must in turn have a mapping in the parent user "
"namespace."
msgstr ""
"Les ID de projet mappés doivent, en retour, avoir un mappage dans l'espace "
"de noms utilisateur parent."

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Violation of these rules causes B<write>(2)  to fail with the error B<EPERM>."
msgstr ""
"La violation de ces règles provoque l'échec de B<write>(2) avec l’erreur "
"B<EPERM>."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Interaction with system calls that change process UIDs or GIDs"
msgstr "Interaction avec les appels système qui modifient les UID ou les GID"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In a user namespace where the I<uid_map> file has not been written, the "
"system calls that change user IDs will fail.  Similarly, if the I<gid_map> "
"file has not been written, the system calls that change group IDs will "
"fail.  After the I<uid_map> and I<gid_map> files have been written, only the "
"mapped values may be used in system calls that change user and group IDs."
msgstr ""
"Dans un espace de noms utilisateur où aucun fichier I<uid_map> n’a été "
"écrit, les appels système qui modifient l’ID utilisateur échoueront. De la "
"même manière, si le fichier I<gid_map> n’a pas été écrit, les appels système "
"modifiant les ID de groupe échoueront. Après que les fichiers I<uid_map> et "
"I<gid_map> aient été écrits, seules les valeurs mappées peuvent être "
"utilisées dans les appels système modifiant les ID utilisateur et groupe."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"For user IDs, the relevant system calls include B<setuid>(2), "
"B<setfsuid>(2), B<setreuid>(2), and B<setresuid>(2).  For group IDs, the "
"relevant system calls include B<setgid>(2), B<setfsgid>(2), B<setregid>(2), "
"B<setresgid>(2), and B<setgroups>(2)."
msgstr ""
"Pour les ID utilisateur, les appels système concernés incluent B<setuid>(2), "
"B<setfsuid>(2), B<setreuid>(2) et B<setresuid>(2). Pour les ID de groupe, "
"les appels système concernés incluent B<setgid>(2), B<setfsgid>(2), "
"B<setregid>(2), B<setresgid>(2) et B<setgroups>(2)."

#
#.  Things changed in Linux 3.19
#.  commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
#.  commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
#.  http://lwn.net/Articles/626665/
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Writing \\[dq]I<deny>\\[dq] to the I</proc/>pidI</setgroups> file before "
"writing to I</proc/>pidI</gid_map> will permanently disable B<setgroups>(2)  "
"in a user namespace and allow writing to I</proc/>pidI</gid_map> without "
"having the B<CAP_SETGID> capability in the parent user namespace."
msgstr ""
"Écrire « I<deny> » dans le fichier I</proc/>pidI</setgroups> avant d’écrire "
"dans I</proc/>pidI</gid_map> désactivera de manière permanente "
"B<setgroups>(2) dans un espace de noms utilisateur et permettra d’écrire "
"dans I</proc/>pidI</gid_map> sans avoir la capacité B<CAP_SETGID> dans "
"l’espace de noms utilisateur parent."

#. type: SS
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-leap-15-6 opensuse-tumbleweed
#, fuzzy, no-wrap
#| msgid "The /proc/[pid]/setgroups file"
msgid "The I</proc/>pidI</setgroups> file"
msgstr "Le fichier /proc/[pid]/setgroups"

#
#.  commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
#.  commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
#.  http://lwn.net/Articles/626665/
#.  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8989
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The I</proc/>pidI</setgroups> file displays the string \\[dq]I<allow>\\[dq] "
"if processes in the user namespace that contains the process I<pid> are "
"permitted to employ the B<setgroups>(2)  system call; it displays "
"\\[dq]I<deny>\\[dq] if B<setgroups>(2)  is not permitted in that user "
"namespace.  Note that regardless of the value in the I</proc/>pidI</"
"setgroups> file (and regardless of the process's capabilities), calls to "
"B<setgroups>(2)  are also not permitted if I</proc/>pidI</gid_map> has not "
"yet been set."
msgstr ""
"Le fichier I</proc/>pidI</setgroups> affichera la chaîne « I<allow> » si les "
"processus dans l’espace de noms utilisateur qui contient le processus I<pid> "
"sont autorisés à employer l’appel système B<setgroups>(2). Il affichera "
"« I<deny> » si B<setgroups>(2) n’est pas autorisé dans cet espace de noms "
"utilisateur. Remarquez que quelle que soit la valeur dans le fichier I</proc/"
">pidI</setgroups> (et quelles que soient les capacités du processus), les "
"appels à B<setgroups>(2) ne sont en outre pas permis si I</proc/"
">pidI<gid_map> n’a pas encore été défini."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A privileged process (one with the B<CAP_SYS_ADMIN> capability in the "
"namespace) may write either of the strings \\[dq]I<allow>\\[dq] or "
"\\[dq]I<deny>\\[dq] to this file I<before> writing a group ID mapping for "
"this user namespace to the file I</proc/>pidI</gid_map>.  Writing the string "
"\\[dq]I<deny>\\[dq] prevents any process in the user namespace from "
"employing B<setgroups>(2)."
msgstr ""
"Un processus privilégié (un avec la capacité B<CAP_SYS_ADMIN> dans l’espace "
"de noms) peut écrire une des chaînes « I<allow> » ou « I<deny> » dans ce "
"fichier I<avant> d’écrire un mappage d’ID de groupe pour cet espace de noms "
"utilisateur dans le fichier I</proc/>pidI</gid_map>. Écrire la chaîne "
"« I<deny> » empêche tout processus dans l’espace de noms utilisateur "
"d’employer B<setgroups>(2)."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The essence of the restrictions described in the preceding paragraph is that "
"it is permitted to write to I</proc/>pidI</setgroups> only so long as "
"calling B<setgroups>(2)  is disallowed because I</proc/>pidI</gid_map> has "
"not been set.  This ensures that a process cannot transition from a state "
"where B<setgroups>(2)  is allowed to a state where B<setgroups>(2)  is "
"denied; a process can transition only from B<setgroups>(2)  being disallowed "
"to B<setgroups>(2)  being allowed."
msgstr ""
"L’idée de ces restrictions décrites dans le paragraphe précédent est qu’il "
"n'est permis d’écrire dans I</proc/>pidI</setgroups> que sil’appel à "
"B<setgroups>(2) est désactivé parce que I</proc/>pidI</gid_map> n’a pas été "
"défini. Cela garantit qu’un processus ne peut transiter d’un état dans "
"lequel B<setgroups>(2) est autorisé vers un état dans lequel B<setgroups>(2) "
"est interdit. Un processus peut transiter seulement de B<setgroups>(2) "
"interdit vers B<setgroups>(2) autorisé."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The default value of this file in the initial user namespace is "
"\\[dq]I<allow>\\[dq]."
msgstr ""
"La valeur par défaut dans ce fichier dans l’espace de noms utilisateur "
"initial est « I<allow> »."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Once I</proc/>pidI</gid_map> has been written to (which has the effect of "
"enabling B<setgroups>(2)  in the user namespace), it is no longer possible "
"to disallow B<setgroups>(2)  by writing \\[dq]I<deny>\\[dq] to I</proc/"
">pidI</setgroups> (the write fails with the error B<EPERM>)."
msgstr ""
"Une fois que I</proc/>pidI</gid_map> a été écrit (ce qui a pour effet "
"d’activer B<setgroups>(2) dans l’espace de noms utilisateur), il n’est plus "
"possible de désactiver B<setgroups>(2) en écrivant « I<deny> » dans I</proc/"
">pidI</setgroups> (l’écriture échoue avec l’erreur B<EPERM>)."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A child user namespace inherits the I</proc/>pidI</setgroups> setting from "
"its parent."
msgstr ""
"Un espace de noms utilisateur enfant hérite du réglage I</proc/>pidI</"
"setgroups> de son parent."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the I<setgroups> file has the value \\[dq]I<deny>\\[dq], then the "
"B<setgroups>(2)  system call can't subsequently be reenabled (by writing "
"\\[dq]I<allow>\\[dq] to the file) in this user namespace.  (Attempts to do "
"so fail with the error B<EPERM>.)  This restriction also propagates down to "
"all child user namespaces of this user namespace."
msgstr ""
"Si le fichier I<setgroups> a la valeur « I<deny> », alors l’appel système "
"B<setgroups>(2) ne peut pas par la suite être réactivé (en écrivant "
"« I<allow> » dans le fichier) dans cet espace de noms utilisateur (toute "
"tentative échouera avec l’erreur B<EPERM>). Cette restriction se propage "
"vers les espaces de noms utilisateur enfant de cet espace de noms "
"utilisateur."

#
#
#
#
#.  /proc/PID/setgroups
#. 	[allow == setgroups() is allowed, "deny" == setgroups() is disallowed]
#. 	* Can write if have CAP_SYS_ADMIN in NS
#. 	* Must write BEFORE writing to /proc/PID/gid_map
#.  setgroups()
#. 	* Must already have written to gid_map
#. 	* /proc/PID/setgroups must be "allow"
#.  /proc/PID/gid_map -- writing
#. 	* Must already have written "deny" to /proc/PID/setgroups
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The I</proc/>pidI</setgroups> file was added in Linux 3.19, but was "
"backported to many earlier stable kernel series, because it addresses a "
"security issue.  The issue concerned files with permissions such as \"rwx---"
"rwx\".  Such files give fewer permissions to \"group\" than they do to "
"\"other\".  This means that dropping groups using B<setgroups>(2)  might "
"allow a process file access that it did not formerly have.  Before the "
"existence of user namespaces this was not a concern, since only a privileged "
"process (one with the B<CAP_SETGID> capability) could call B<setgroups>(2).  "
"However, with the introduction of user namespaces, it became possible for an "
"unprivileged process to create a new namespace in which the user had all "
"privileges.  This then allowed formerly unprivileged users to drop groups "
"and thus gain file access that they did not previously have.  The I</proc/"
">pidI</setgroups> file was added to address this security issue, by denying "
"any pathway for an unprivileged process to drop groups with B<setgroups>(2)."
msgstr ""
"Le fichier I</proc/>pidI</setgroups> a été ajouté dans Linux 3.19, mais a "
"été rétroporté vers plusieurs séries stables du noyau car il corrige un "
"problème de sécurité. Cela concernait les fichiers avec les permissions "
"telles que « rwx---rwx ». De tels fichiers accordent moins de permissions au "
"« group » qu’elles ne donnent à « other ». Cela signifie qu’abandonner les "
"groupes utilisant B<setgroups>(2) peut permettre un accès au fichier du "
"processus que celui-ci n’avait pas auparavant. Avant l’existence des espaces "
"de noms utilisateur cela n’était pas un problème, puisque seul un processus "
"privilégié (un avec la capacité B<CAP_SETGID>) pouvait appeler "
"B<setgroups>(2). Cependant, avec l’introduction des espaces de noms "
"utilisateur, il est devenu possible pour un processus non privilégié de "
"créer un nouvel espace de noms dans lequel l’utilisateur a tous les "
"privilèges. Cela permet alors à des utilisateurs anciennement non "
"privilégiés d’abandonner les groupes et donc obtenir l’accès à des fichiers "
"auxquels ils ne pouvaient pas accéder. Le fichier I</proc/>pidI</setgroups> "
"a été ajouté pour résoudre le problème de sécurité en refusant à tout chemin "
"pour un processus non privilégié d’abandonner les groupes avec "
"B<setgroups>(2)."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Unmapped user and group IDs"
msgstr "ID utilisateur et groupe non mappés"

#.  from_kuid_munged(), from_kgid_munged()
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"There are various places where an unmapped user ID (group ID)  may be "
"exposed to user space.  For example, the first process in a new user "
"namespace may call B<getuid>(2)  before a user ID mapping has been defined "
"for the namespace.  In most such cases, an unmapped user ID is converted to "
"the overflow user ID (group ID); the default value for the overflow user ID "
"(group ID) is 65534.  See the descriptions of I</proc/sys/kernel/"
"overflowuid> and I</proc/sys/kernel/overflowgid> in B<proc>(5)."
msgstr ""
"Il existe différentes situations dans lesquelles un identifiant utilisateur "
"(ou de groupe) non mappé peut être exposé dans un espace de noms "
"utilisateur. Par exemple, le premier processus d'un nouvel espace de noms "
"utilisateur peut appeler B<getuid>() avant que le mappage des identifiants "
"utilisateur ait été défini pour l'espace de noms. Dans la plupart de ces "
"cas, l'identifiant utilisateur non mappé est converti en un identifiant "
"utilisateur (groupe) au-delà de la limite de débordement ; la valeur par "
"défaut au delà de cette limite pour un identifiant utilisateur (ou groupe) "
"est 65534. Consultez les descriptions de I</proc/sys/kernel/overflowuid> et "
"de I</proc/sys/kernel/overflowgid> dans B<proc>(5)."

#.  also SO_PEERCRED
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The cases where unmapped IDs are mapped in this fashion include system calls "
"that return user IDs (B<getuid>(2), B<getgid>(2), and similar), credentials "
"passed over a UNIX domain socket, credentials returned by B<stat>(2), "
"B<waitid>(2), and the System V IPC \"ctl\" B<IPC_STAT> operations, "
"credentials exposed by I</proc/>pidI</status> and the files in I</proc/"
"sysvipc/*>, credentials returned via the I<si_uid> field in the I<siginfo_t> "
"received with a signal (see B<sigaction>(2)), credentials written to the "
"process accounting file (see B<acct>(5)), and credentials returned with "
"POSIX message queue notifications (see B<mq_notify>(3))."
msgstr ""
"Les situations dans lesquelles des identifiants non mappés sont transformés "
"de cette façon comprennent les cas des appels système qui renvoient des "
"identifiants utilisateur (B<getuid>(2), B<getgid>(2) et les appels "
"similaires), les accréditations passées à l’aide d’un socket de domaine "
"UNIX, les accréditations renvoyées par B<stat>(2), B<waitid>(2) et les "
"autres opérations IPC « ctl » B<IPC_STAT> de System V, les accréditations "
"présentées par I</proc/>pidI</status> et les fichiers I</proc/sysvipc/*>, "
"les accréditations renvoyées par le champ I<si_uid> de I<siginfo_t> reçues "
"avec un signal (consultez B<sigaction>(2)), les accréditations écrites dans "
"le fichier du processus de tenue des comptes (consultez B<acct>(5)) et les "
"accréditations renvoyées avec des notifications de files de messages POSIX "
"(consultez B<mq_notify>(3))."

#
#.  from_kuid(), from_kgid()
#.  Also F_GETOWNER_UIDS is an exception
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"There is one notable case where unmapped user and group IDs are I<not> "
"converted to the corresponding overflow ID value.  When viewing a I<uid_map> "
"or I<gid_map> file in which there is no mapping for the second field, that "
"field is displayed as 4294967295 (-1 as an unsigned integer)."
msgstr ""
"Il est un cas notable où des identifiants d'utilisateur et de groupe non "
"mappés I<ne sont pas> convertis en des valeurs d’ID correspondantes au-delà "
"de la limite. Lors de la consultation d'un fichier I<uid_map> ou I<gid_map> "
"dans lequel il n'y a pas de mappage pour le second champ, ce champ apparaît "
"comme 4294967295 (-1 représenté comme un entier non signé)."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Accessing files"
msgstr "Accession aux fichiers"

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In order to determine permissions when an unprivileged process accesses a "
"file, the process credentials (UID, GID) and the file credentials are in "
"effect mapped back to what they would be in the initial user namespace and "
"then compared to determine the permissions that the process has on the "
"file.  The same is also true of other objects that employ the credentials "
"plus permissions mask accessibility model, such as System V IPC objects."
msgstr ""
"Dans le but de déterminer les permissions quand un processus non privilégié "
"accède à un fichier, les accréditations du processus (UID, GID) et les "
"accréditations du fichier sont en réalité mappées vers ce qu’elles seraient "
"dans l’espace de noms utilisateur initial et alors comparées pour déterminer "
"les permissions que le processus possède sur le fichier. La même chose est "
"valable pour les autres objets qui emploient les accréditations plus le "
"modèle d’accessibilité avec le masque de permission, tels que les objets IPC "
"de System V."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Operation of file-related capabilities"
msgstr "Opérations sur les capacités relatives aux fichiers"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Certain capabilities allow a process to bypass various kernel-enforced "
"restrictions when performing operations on files owned by other users or "
"groups.  These capabilities are: B<CAP_CHOWN>, B<CAP_DAC_OVERRIDE>, "
"B<CAP_DAC_READ_SEARCH>, B<CAP_FOWNER>, and B<CAP_FSETID>."
msgstr ""
"Certaines capacités permettent à un processus de contourner diverses "
"restrictions imposées par le noyau lors d’opérations sur des fichiers "
"possédés par d’autres utilisateurs ou groupes. Ce sont B<CAP_CHOWN>, "
"B<CAP_DAC_OVERRIDE>, B<CAP_DAC_READ_SEARCH>, B<CAP_FOWNER> et B<CAP_FSETID>."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Within a user namespace, these capabilities allow a process to bypass the "
"rules if the process has the relevant capability over the file, meaning that:"
msgstr ""
"Dans un espace de noms utilisateur, ces capacités permettent à un processus "
"de contourner les règles si le processus possède la capacité adéquate sur le "
"fichier, signifiant que :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"the process has the relevant effective capability in its user namespace; and"
msgstr ""
"le processus a la capacité effective adéquate dans son espace de noms "
"utilisateur;"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"the file's user ID and group ID both have valid mappings in the user "
"namespace."
msgstr ""
"les ID utilisateur et groupe du fichier ont tous les deux des mappages "
"valables dans l’espace de noms utilisateur."

#
#.  These are the checks performed by the kernel function
#.  inode_owner_or_capable(). There is one exception to the exception:
#.  overriding the directory sticky permission bit requires that
#.  the file has a valid mapping for both its UID and GID.
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<CAP_FOWNER> capability is treated somewhat exceptionally: it allows a "
"process to bypass the corresponding rules so long as at least the file's "
"user ID has a mapping in the user namespace (i.e., the file's group ID does "
"not need to have a valid mapping)."
msgstr ""
"La capacité B<CAP_FOWNER> est traitée de manière quelque peu exceptionnelle. "
"Elle permet à un processus de contourner les règles correspondantes à "
"condition qu’au moins l’ID utilisateur du fichier possède un mappage dans "
"l’espace de noms utilisateur (c’est-à-dire que l’ID de groupe du fichier n’a "
"nul besoin d’avoir un mappage valable)."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Set-user-ID and set-group-ID programs"
msgstr "Programmes set-user-ID et set-group-ID"

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a process inside a user namespace executes a set-user-ID (set-group-ID) "
"program, the process's effective user (group) ID inside the namespace is "
"changed to whatever value is mapped for the user (group) ID of the file.  "
"However, if either the user I<or> the group ID of the file has no mapping "
"inside the namespace, the set-user-ID (set-group-ID) bit is silently "
"ignored: the new program is executed, but the process's effective user "
"(group) ID is left unchanged.  (This mirrors the semantics of executing a "
"set-user-ID or set-group-ID program that resides on a filesystem that was "
"mounted with the B<MS_NOSUID> flag, as described in B<mount>(2).)"
msgstr ""
"Lorsqu'un processus appartenant à un espace de noms exécute un programme set-"
"user-ID (set-group-ID), l'identifiant utilisateur (groupe) effectif du "
"processus dans l'espace de noms est changé à n’importe quelle valeur mappée "
"pour l’identifiant utilisateur (groupe) du fichier. Cependant, si "
"l'identifiant utilisateur I<ou> groupe n'a pas de mappage dans l'espace de "
"noms, le bit set-user-ID (set-group-ID) est ignoré silencieusement : le "
"nouveau programme est exécuté, mais l'identifiant utilisateur (groupe) "
"effectif n’est pas modifié. Cela reproduit la sémantique d'exécution d'un "
"programme set-user-ID ou set-group-ID qui se trouve dans un système de "
"fichiers monté avec l'indicateur B<MS_NOSUID>, comme indiqué dans "
"B<mount>(2)."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Miscellaneous"
msgstr "Divers"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a process's user and group IDs are passed over a UNIX domain socket to "
"a process in a different user namespace (see the description of "
"B<SCM_CREDENTIALS> in B<unix>(7)), they are translated into the "
"corresponding values as per the receiving process's user and group ID "
"mappings."
msgstr ""
"Lorsque les identifiants utilisateur et groupe d'un processus sont transmis "
"à l’aide d’un socket de domaine UNIX à un processus d'un autre espace de "
"noms (consultez la description de B<SCM_CREDENTIALS> dans B<unix>(7)), ils "
"sont transformés en leur valeur correspondante suivant les mappages des "
"identifiants utilisateur et groupe du processus réceptionnaire."

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "STANDARDS"
msgstr "STANDARDS"

#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-leap-15-6 opensuse-tumbleweed
msgid "Linux."
msgstr "Linux."

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "NOTES"
msgstr "NOTES"

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Over the years, there have been a lot of features that have been added to "
"the Linux kernel that have been made available only to privileged users "
"because of their potential to confuse set-user-ID-root applications.  In "
"general, it becomes safe to allow the root user in a user namespace to use "
"those features because it is impossible, while in a user namespace, to gain "
"more privilege than the root user of a user namespace has."
msgstr ""
"Au fil des ans, de nombreuses fonctionnalités ont été ajoutées au noyau "
"Linux mais réservées aux utilisateurs disposant de privilèges du fait de la "
"confusion qu'elles peuvent induire dans les applications set-user-ID-root. "
"En général, il n'est pas dangereux d'autoriser un superutilisateur d'un "
"espace de noms à utiliser ces fonctionnalités parce qu'il est impossible, "
"dans un espace de noms utilisateur, d'obtenir plus de droits que ce que peut "
"obtenir le superutilisateur d’un espace de noms utilisateur."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Global root"
msgstr "Superutilisateur global"

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The term \"global root\" is sometimes used as a shorthand for user ID 0 in "
"the initial user namespace."
msgstr ""
"Le terme de « superutilisateur global » (global root) est parfois utilisé "
"comme un raccourci pour l’ID 0 dans l’espace de noms utilisateur initial."

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Availability"
msgstr "Disponibilité"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Use of user namespaces requires a kernel that is configured with the "
"B<CONFIG_USER_NS> option.  User namespaces require support in a range of "
"subsystems across the kernel.  When an unsupported subsystem is configured "
"into the kernel, it is not possible to configure user namespaces support."
msgstr ""
"Le noyau doit avoir été configuré avec l'option B<CONFIG_USER_NS> pour "
"permettre l'utilisation des espaces de noms utilisateur. Ces espaces doivent "
"également être pris en charge par un ensemble de sous-systèmes du noyau. Si "
"un sous-système non pris en charge est activé dans le noyau, il n'est pas "
"possible de configurer la prise en charge des espaces de noms."

#.  commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"As at Linux 3.8, most relevant subsystems supported user namespaces, but a "
"number of filesystems did not have the infrastructure needed to map user and "
"group IDs between user namespaces.  Linux 3.9 added the required "
"infrastructure support for many of the remaining unsupported filesystems "
"(Plan 9 (9P), Andrew File System (AFS), Ceph, CIFS, CODA, NFS, and OCFS2).  "
"Linux 3.12 added support for the last of the unsupported major filesystems, "
"XFS."
msgstr ""
"Depuis Linux 3.8, la plupart des principaux sous-systèmes prennent en charge "
"les espaces de noms utilisateur, mais certains systèmes de fichiers n'ont "
"pas l'infrastructure nécessaire pour mapper les identifiants utilisateur et "
"groupe entre les espaces de noms utilisateur. Linux 3.9 a fourni "
"l'infrastructure nécessaire à la prise en charge de nombreux systèmes de "
"fichiers restants (Plan 9 (9P), Andrew File System (AFS), Ceph, CIFS, CODA, "
"NFS et OCFS2). Linux 3.12 a apporté la prise en charge du dernier des "
"principaux systèmes de fichiers non encore géré, XFS."

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "EXAMPLES"
msgstr "EXEMPLES"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The program below is designed to allow experimenting with user namespaces, "
"as well as other types of namespaces.  It creates namespaces as specified by "
"command-line options and then executes a command inside those namespaces.  "
"The comments and I<usage>()  function inside the program provide a full "
"explanation of the program.  The following shell session demonstrates its "
"use."
msgstr ""
"Le programme suivant est conçu pour permettre de s'exercer avec les espaces "
"de noms utilisateur, comme avec d'autres espaces de noms. Il crée des "
"espaces de noms tels que définis dans les options de la ligne de commande et "
"exécute une commande dans ces espaces de noms. Les commentaires et la "
"fonction I<usage>() dans le programme fournissent une explication détaillée "
"du programme. La session shell suivante illustre son utilisation."

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "First, we look at the run-time environment:"
msgstr "Tout d'abord, regardons l'environnement d'exécution :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<uname -rs>     # Need Linux 3.8 or later\n"
"Linux 3.8.0\n"
"$ B<id -u>         # Running as unprivileged user\n"
"1000\n"
"$ B<id -g>\n"
"1000\n"
msgstr ""
"$ B<uname -rs>     # à partir de Linux 3.8\n"
"Linux 3.8.0\n"
"$ B<id -u>         # exécuté comme utilisateur sans privilèges\n"
"1000\n"
"$ B<id -g>\n"
"1000\n"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Now start a new shell in new user (I<-U>), mount (I<-m>), and PID (I<-p>)  "
"namespaces, with user ID (I<-M>)  and group ID (I<-G>)  1000 mapped to 0 "
"inside the user namespace:"
msgstr ""
"Démarrons maintenant un nouveau shell dans les nouveaux espaces de noms "
"utilisateur (I<-U>), de montage (I<-m>) et de PID (I<-p>), avec "
"l'identifiant utilisateur (I<-M>) et groupe (I<-G>) 1000 mappés à 0 dans "
"l'espace de noms utilisateur :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "$ B<./userns_child_exec -p -m -U -M \\[aq]0 1000 1\\[aq] -G \\[aq]0 1000 1\\[aq] bash>\n"
msgstr "$ B<./userns_child_exec -p -m -U -M \\[aq]0 1000 1\\[aq] -G \\[aq]0 1000 1\\[aq] bash>\n"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The shell has PID 1, because it is the first process in the new PID "
"namespace:"
msgstr ""
"Le shell a le PID 1 puisqu'il est le premier processus de l'espace de noms :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"bash$ B<echo $$>\n"
"1\n"
msgstr ""
"bash$ B<echo $$>\n"
"1\n"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Mounting a new I</proc> filesystem and listing all of the processes visible "
"in the new PID namespace shows that the shell can't see any processes "
"outside the PID namespace:"
msgstr ""
"Lorsque l'on monte un nouveau système de fichiers I</proc> et que l'on "
"affiche tous les processus visibles dans le nouvel espace de noms PID, on "
"constate que le shell peut voir tous les processus qui se trouvent à "
"l'extérieur de l'espace de noms PID :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"bash$ B<mount -t proc proc /proc>\n"
"bash$ B<ps ax>\n"
"  PID TTY      STAT   TIME COMMAND\n"
"    1 pts/3    S      0:00 bash\n"
"   22 pts/3    R+     0:00 ps ax\n"
msgstr ""
"bash$ B<mount -t proc proc /proc>\n"
"bash$ B<ps ax>\n"
"  PID TTY      STAT   TIME COMMAND\n"
"    1 pts/3    S      0:00 bash\n"
"   22 pts/3    R+     0:00 ps ax\n"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Inside the user namespace, the shell has user and group ID 0, and a full set "
"of permitted and effective capabilities:"
msgstr ""
"Dans l'espace de noms utilisateur, le shell a les identifiants utilisateur "
"et groupe 0, ainsi qu'un ensemble complet de capacités autorisées et "
"effectives :"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"bash$ B<cat /proc/$$/status | egrep \\[aq]\\[ha][UG]id\\[aq]>\n"
"Uid:\t0\t0\t0\t0\n"
"Gid:\t0\t0\t0\t0\n"
"bash$ B<cat /proc/$$/status | egrep \\[aq]\\[ha]Cap(Prm|Inh|Eff)\\[aq]>\n"
"CapInh:\t0000000000000000\n"
"CapPrm:\t0000001fffffffff\n"
"CapEff:\t0000001fffffffff\n"
msgstr ""
"bash$ B<cat /proc/$$/status | egrep \\[aq]\\[ha][UG]id\\[aq]>\n"
"Uid:\t0\t0\t0\t0\n"
"Gid:\t0\t0\t0\t0\n"
"bash$ B<cat /proc/$$/status | egrep \\[aq]\\[ha]Cap(Prm|Inh|Eff)\\[aq]>\n"
"CapInh:\t0000000000000000\n"
"CapPrm:\t0000001fffffffff\n"
"CapEff:\t0000001fffffffff\n"

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Program source"
msgstr "Source du programme"

#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-tumbleweed
#, no-wrap
msgid ""
"/* userns_child_exec.c\n"
"\\&\n"
"   Licensed under GNU General Public License v2 or later\n"
"\\&\n"
"   Create a child process that executes a shell command in new\n"
"   namespace(s); allow UID and GID mappings to be specified when\n"
"   creating a user namespace.\n"
"*/\n"
"#define _GNU_SOURCE\n"
"#include E<lt>err.hE<gt>\n"
"#include E<lt>sched.hE<gt>\n"
"#include E<lt>unistd.hE<gt>\n"
"#include E<lt>stdint.hE<gt>\n"
"#include E<lt>stdlib.hE<gt>\n"
"#include E<lt>sys/wait.hE<gt>\n"
"#include E<lt>signal.hE<gt>\n"
"#include E<lt>fcntl.hE<gt>\n"
"#include E<lt>stdio.hE<gt>\n"
"#include E<lt>string.hE<gt>\n"
"#include E<lt>limits.hE<gt>\n"
"#include E<lt>errno.hE<gt>\n"
"\\&\n"
"struct child_args {\n"
"    char **argv;        /* Command to be executed by child, with args */\n"
"    int    pipe_fd[2];  /* Pipe used to synchronize parent and child */\n"
"};\n"
"\\&\n"
"static int verbose;\n"
"\\&\n"
"static void\n"
"usage(char *pname)\n"
"{\n"
"    fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n"
"    fprintf(stderr, \"Create a child process that executes a shell \"\n"
"            \"command in a new user namespace,\\en\"\n"
"            \"and possibly also other new namespace(s).\\en\\en\");\n"
"    fprintf(stderr, \"Options can be:\\en\\en\");\n"
"#define fpe(str) fprintf(stderr, \"    %s\", str);\n"
"    fpe(\"-i          New IPC namespace\\en\");\n"
"    fpe(\"-m          New mount namespace\\en\");\n"
"    fpe(\"-n          New network namespace\\en\");\n"
"    fpe(\"-p          New PID namespace\\en\");\n"
"    fpe(\"-u          New UTS namespace\\en\");\n"
"    fpe(\"-U          New user namespace\\en\");\n"
"    fpe(\"-M uid_map  Specify UID map for user namespace\\en\");\n"
"    fpe(\"-G gid_map  Specify GID map for user namespace\\en\");\n"
"    fpe(\"-z          Map user\\[aq]s UID and GID to 0 in user namespace\\en\");\n"
"    fpe(\"            (equivalent to: -M \\[aq]0 E<lt>uidE<gt> 1\\[aq] -G \\[aq]0 E<lt>gidE<gt> 1\\[aq])\\en\");\n"
"    fpe(\"-v          Display verbose messages\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n"
"    fpe(\"It is not permitted to specify both -z and either -M or -G.\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"Map strings for -M and -G consist of records of the form:\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"    ID-inside-ns   ID-outside-ns   len\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"A map string can contain multiple records, separated\"\n"
"        \" by commas;\\en\");\n"
"    fpe(\"the commas are replaced by newlines before writing\"\n"
"        \" to map files.\\en\");\n"
"\\&\n"
"    exit(EXIT_FAILURE);\n"
"}\n"
"\\&\n"
"/* Update the mapping file \\[aq]map_file\\[aq], with the value provided in\n"
"   \\[aq]mapping\\[aq], a string that defines a UID or GID mapping. A UID or\n"
"   GID mapping consists of one or more newline-delimited records\n"
"   of the form:\n"
"\\&\n"
"       ID_inside-ns    ID-outside-ns   length\n"
"\\&\n"
"   Requiring the user to supply a string that contains newlines is\n"
"   of course inconvenient for command-line use. Thus, we permit the\n"
"   use of commas to delimit records in this string, and replace them\n"
"   with newlines before writing the string to the file. */\n"
"\\&\n"
"static void\n"
"update_map(char *mapping, char *map_file)\n"
"{\n"
"    int fd;\n"
"    size_t map_len;     /* Length of \\[aq]mapping\\[aq] */\n"
"\\&\n"
"    /* Replace commas in mapping string with newlines. */\n"
"\\&\n"
"    map_len = strlen(mapping);\n"
"    for (size_t j = 0; j E<lt> map_len; j++)\n"
"        if (mapping[j] == \\[aq],\\[aq])\n"
"            mapping[j] = \\[aq]\\en\\[aq];\n"
"\\&\n"
"    fd = open(map_file, O_RDWR);\n"
"    if (fd == -1) {\n"
"        fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n"
"                strerror(errno));\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
"\\&\n"
"    if (write(fd, mapping, map_len) != map_len) {\n"
"        fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n"
"                strerror(errno));\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
"\\&\n"
"    close(fd);\n"
"}\n"
"\\&\n"
"/* Linux 3.19 made a change in the handling of setgroups(2) and\n"
"   the \\[aq]gid_map\\[aq] file to address a security issue.  The issue\n"
"   allowed *unprivileged* users to employ user namespaces in\n"
"   order to drop groups.  The upshot of the 3.19 changes is that\n"
"   in order to update the \\[aq]gid_maps\\[aq] file, use of the setgroups()\n"
"   system call in this user namespace must first be disabled by\n"
"   writing \"deny\" to one of the /proc/PID/setgroups files for\n"
"   this namespace.  That is the purpose of the following function.  */\n"
"\\&\n"
"static void\n"
"proc_setgroups_write(pid_t child_pid, char *str)\n"
"{\n"
"    char setgroups_path[PATH_MAX];\n"
"    int fd;\n"
"\\&\n"
"    snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n"
"            (intmax_t) child_pid);\n"
"\\&\n"
"    fd = open(setgroups_path, O_RDWR);\n"
"    if (fd == -1) {\n"
"\\&\n"
"        /* We may be on a system that doesn\\[aq]t support\n"
"           /proc/PID/setgroups. In that case, the file won\\[aq]t exist,\n"
"           and the system won\\[aq]t impose the restrictions that Linux 3.19\n"
"           added. That\\[aq]s fine: we don\\[aq]t need to do anything in order\n"
"           to permit \\[aq]gid_map\\[aq] to be updated.\n"
"\\&\n"
"           However, if the error from open() was something other than\n"
"           the ENOENT error that is expected for that case,  let the\n"
"           user know. */\n"
"\\&\n"
"        if (errno != ENOENT)\n"
"            fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n"
"                strerror(errno));\n"
"        return;\n"
"    }\n"
"\\&\n"
"    if (write(fd, str, strlen(str)) == -1)\n"
"        fprintf(stderr, \"ERROR: write %s: %s\\en\", setgroups_path,\n"
"            strerror(errno));\n"
"\\&\n"
"    close(fd);\n"
"}\n"
"\\&\n"
"static int              /* Start function for cloned child */\n"
"childFunc(void *arg)\n"
"{\n"
"    struct child_args *args = arg;\n"
"    char ch;\n"
"\\&\n"
"    /* Wait until the parent has updated the UID and GID mappings.\n"
"       See the comment in main(). We wait for end of file on a\n"
"       pipe that will be closed by the parent process once it has\n"
"       updated the mappings. */\n"
"\\&\n"
"    close(args-E<gt>pipe_fd[1]);    /* Close our descriptor for the write\n"
"                                   end of the pipe so that we see EOF\n"
"                                   when parent closes its descriptor. */\n"
"    if (read(args-E<gt>pipe_fd[0], &ch, 1) != 0) {\n"
"        fprintf(stderr,\n"
"                \"Failure in child: read from pipe returned != 0\\en\");\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
"\\&\n"
"    close(args-E<gt>pipe_fd[0]);\n"
"\\&\n"
"    /* Execute a shell command. */\n"
"\\&\n"
"    printf(\"About to exec %s\\en\", args-E<gt>argv[0]);\n"
"    execvp(args-E<gt>argv[0], args-E<gt>argv);\n"
"    err(EXIT_FAILURE, \"execvp\");\n"
"}\n"
"\\&\n"
"#define STACK_SIZE (1024 * 1024)\n"
"\\&\n"
"static char child_stack[STACK_SIZE];    /* Space for child\\[aq]s stack */\n"
"\\&\n"
"int\n"
"main(int argc, char *argv[])\n"
"{\n"
"    int flags, opt, map_zero;\n"
"    pid_t child_pid;\n"
"    struct child_args args;\n"
"    char *uid_map, *gid_map;\n"
"    const int MAP_BUF_SIZE = 100;\n"
"    char map_buf[MAP_BUF_SIZE];\n"
"    char map_path[PATH_MAX];\n"
"\\&\n"
"    /* Parse command-line options. The initial \\[aq]+\\[aq] character in\n"
"       the final getopt() argument prevents GNU-style permutation\n"
"       of command-line options. That\\[aq]s useful, since sometimes\n"
"       the \\[aq]command\\[aq] to be executed by this program itself\n"
"       has command-line options. We don\\[aq]t want getopt() to treat\n"
"       those as options to this program. */\n"
"\\&\n"
"    flags = 0;\n"
"    verbose = 0;\n"
"    gid_map = NULL;\n"
"    uid_map = NULL;\n"
"    map_zero = 0;\n"
"    while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n"
"        switch (opt) {\n"
"        case \\[aq]i\\[aq]: flags |= CLONE_NEWIPC;        break;\n"
"        case \\[aq]m\\[aq]: flags |= CLONE_NEWNS;         break;\n"
"        case \\[aq]n\\[aq]: flags |= CLONE_NEWNET;        break;\n"
"        case \\[aq]p\\[aq]: flags |= CLONE_NEWPID;        break;\n"
"        case \\[aq]u\\[aq]: flags |= CLONE_NEWUTS;        break;\n"
"        case \\[aq]v\\[aq]: verbose = 1;                  break;\n"
"        case \\[aq]z\\[aq]: map_zero = 1;                 break;\n"
"        case \\[aq]M\\[aq]: uid_map = optarg;             break;\n"
"        case \\[aq]G\\[aq]: gid_map = optarg;             break;\n"
"        case \\[aq]U\\[aq]: flags |= CLONE_NEWUSER;       break;\n"
"        default:  usage(argv[0]);\n"
"        }\n"
"    }\n"
"\\&\n"
"    /* -M or -G without -U is nonsensical */\n"
"\\&\n"
"    if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n"
"                !(flags & CLONE_NEWUSER)) ||\n"
"            (map_zero && (uid_map != NULL || gid_map != NULL)))\n"
"        usage(argv[0]);\n"
"\\&\n"
"    args.argv = &argv[optind];\n"
"\\&\n"
"    /* We use a pipe to synchronize the parent and child, in order to\n"
"       ensure that the parent sets the UID and GID maps before the child\n"
"       calls execve(). This ensures that the child maintains its\n"
"       capabilities during the execve() in the common case where we\n"
"       want to map the child\\[aq]s effective user ID to 0 in the new user\n"
"       namespace. Without this synchronization, the child would lose\n"
"       its capabilities if it performed an execve() with nonzero\n"
"       user IDs (see the capabilities(7) man page for details of the\n"
"       transformation of a process\\[aq]s capabilities during execve()). */\n"
"\\&\n"
"    if (pipe(args.pipe_fd) == -1)\n"
"        err(EXIT_FAILURE, \"pipe\");\n"
"\\&\n"
"    /* Create the child in new namespace(s). */\n"
"\\&\n"
"    child_pid = clone(childFunc, child_stack + STACK_SIZE,\n"
"                      flags | SIGCHLD, &args);\n"
"    if (child_pid == -1)\n"
"        err(EXIT_FAILURE, \"clone\");\n"
"\\&\n"
"    /* Parent falls through to here. */\n"
"\\&\n"
"    if (verbose)\n"
"        printf(\"%s: PID of child created by clone() is %jd\\en\",\n"
"                argv[0], (intmax_t) child_pid);\n"
"\\&\n"
"    /* Update the UID and GID maps in the child. */\n"
"\\&\n"
"    if (uid_map != NULL || map_zero) {\n"
"        snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n"
"                (intmax_t) child_pid);\n"
"        if (map_zero) {\n"
"            snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n"
"                    (intmax_t) getuid());\n"
"            uid_map = map_buf;\n"
"        }\n"
"        update_map(uid_map, map_path);\n"
"    }\n"
"\\&\n"
"    if (gid_map != NULL || map_zero) {\n"
"        proc_setgroups_write(child_pid, \"deny\");\n"
"\\&\n"
"        snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n"
"                (intmax_t) child_pid);\n"
"        if (map_zero) {\n"
"            snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n"
"                    (intmax_t) getgid());\n"
"            gid_map = map_buf;\n"
"        }\n"
"        update_map(gid_map, map_path);\n"
"    }\n"
"\\&\n"
"    /* Close the write end of the pipe, to signal to the child that we\n"
"       have updated the UID and GID maps. */\n"
"\\&\n"
"    close(args.pipe_fd[1]);\n"
"\\&\n"
"    if (waitpid(child_pid, NULL, 0) == -1)      /* Wait for child */\n"
"        err(EXIT_FAILURE, \"waitpid\");\n"
"\\&\n"
"    if (verbose)\n"
"        printf(\"%s: terminating\\en\", argv[0]);\n"
"\\&\n"
"    exit(EXIT_SUCCESS);\n"
"}\n"
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "SEE ALSO"
msgstr "VOIR AUSSI"

#.  From the shadow package
#.  From the shadow package
#.  From the shadow package
#.  From the shadow package
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"B<newgidmap>(1), B<newuidmap>(1), B<clone>(2), B<ptrace>(2), B<setns>(2), "
"B<unshare>(2), B<proc>(5), B<subgid>(5), B<subuid>(5), B<capabilities>(7), "
"B<cgroup_namespaces>(7), B<credentials>(7), B<namespaces>(7), "
"B<pid_namespaces>(7)"
msgstr ""
"B<newgidmap>(1), B<newuidmap>(1), B<clone>(2), B<ptrace>(2), B<setns>(2), "
"B<unshare>(2), B<proc>(5), B<subgid>(5), B<subuid>(5), B<capabilities>(7), "
"B<cgroup_namespaces>(7), B<credentials>(7), B<namespaces>(7), "
"B<pid_namespaces>(7)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The kernel source file I<Documentation/admin-guide/namespaces/resource-"
"control.rst>."
msgstr ""
"Le fichier I<Documentation/admin-guide/namespaces/resource-control.rst> des "
"sources du noyau."

#. type: TH
#: debian-bookworm
#, no-wrap
msgid "2023-02-05"
msgstr "5 février 2023"

#. type: TH
#: debian-bookworm
#, no-wrap
msgid "Linux man-pages 6.03"
msgstr "Pages du manuel de Linux 6.03"

#. type: SS
#: debian-bookworm
#, no-wrap
msgid "The /proc/I<pid>/setgroups file"
msgstr "Le fichier /proc/I<pid>/setgroups"

#. type: Plain text
#: debian-bookworm
msgid "Namespaces are a Linux-specific feature."
msgstr "Les espaces de noms sont propres à Linux."

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "/* userns_child_exec.c\n"
msgstr "/* userns_child_exec.c\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "   Licensed under GNU General Public License v2 or later\n"
msgstr "   Sous licence publique générale GNU, versions 2 ou postérieures\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"   Create a child process that executes a shell command in new\n"
"   namespace(s); allow UID and GID mappings to be specified when\n"
"   creating a user namespace.\n"
"*/\n"
"#define _GNU_SOURCE\n"
"#include E<lt>err.hE<gt>\n"
"#include E<lt>sched.hE<gt>\n"
"#include E<lt>unistd.hE<gt>\n"
"#include E<lt>stdint.hE<gt>\n"
"#include E<lt>stdlib.hE<gt>\n"
"#include E<lt>sys/wait.hE<gt>\n"
"#include E<lt>signal.hE<gt>\n"
"#include E<lt>fcntl.hE<gt>\n"
"#include E<lt>stdio.hE<gt>\n"
"#include E<lt>string.hE<gt>\n"
"#include E<lt>limits.hE<gt>\n"
"#include E<lt>errno.hE<gt>\n"
msgstr ""
"Créer un processus enfant qui exécute une commande de shell dans\n"
"un nouvel espace de noms. Il permet de préciser les mappages\n"
"d'identifiants utilisateur et groupe lors de la création d’un\n"
"nouvel espace de noms utilisateur.\n"
"#define _GNU_SOURCE\n"
"#include E<lt>err.hE<gt>\n"
"#include E<lt>sched.hE<gt>\n"
"#include E<lt>unistd.hE<gt>\n"
"#include E<lt>stdint.hE<gt>\n"
"#include E<lt>stdlib.hE<gt>\n"
"#include E<lt>sys/wait.hE<gt>\n"
"#include E<lt>signal.hE<gt>\n"
"#include E<lt>fcntl.hE<gt>\n"
"#include E<lt>stdio.hE<gt>\n"
"#include E<lt>string.hE<gt>\n"
"#include E<lt>limits.hE<gt>\n"
"#include E<lt>errno.hE<gt>\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"struct child_args {\n"
"    char **argv;        /* Command to be executed by child, with args */\n"
"    int    pipe_fd[2];  /* Pipe used to synchronize parent and child */\n"
"};\n"
msgstr ""
"struct child_args {\n"
"    char **argv;        /* Commande à exécuter par l’enfant, avec arguments */\n"
"    int    pipe_fd[2];  /* Tube utilisé pour synchroniser le parent et l’enfant */\n"
"};\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "static int verbose;\n"
msgstr "static int verbose;\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static void\n"
"usage(char *pname)\n"
"{\n"
"    fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n"
"    fprintf(stderr, \"Create a child process that executes a shell \"\n"
"            \"command in a new user namespace,\\en\"\n"
"            \"and possibly also other new namespace(s).\\en\\en\");\n"
"    fprintf(stderr, \"Options can be:\\en\\en\");\n"
"#define fpe(str) fprintf(stderr, \"    %s\", str);\n"
"    fpe(\"-i          New IPC namespace\\en\");\n"
"    fpe(\"-m          New mount namespace\\en\");\n"
"    fpe(\"-n          New network namespace\\en\");\n"
"    fpe(\"-p          New PID namespace\\en\");\n"
"    fpe(\"-u          New UTS namespace\\en\");\n"
"    fpe(\"-U          New user namespace\\en\");\n"
"    fpe(\"-M uid_map  Specify UID map for user namespace\\en\");\n"
"    fpe(\"-G gid_map  Specify GID map for user namespace\\en\");\n"
"    fpe(\"-z          Map user\\[aq]s UID and GID to 0 in user namespace\\en\");\n"
"    fpe(\"            (equivalent to: -M \\[aq]0 E<lt>uidE<gt> 1\\[aq] -G \\[aq]0 E<lt>gidE<gt> 1\\[aq])\\en\");\n"
"    fpe(\"-v          Display verbose messages\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n"
"    fpe(\"It is not permitted to specify both -z and either -M or -G.\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"Map strings for -M and -G consist of records of the form:\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"    ID-inside-ns   ID-outside-ns   len\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"A map string can contain multiple records, separated\"\n"
"        \" by commas;\\en\");\n"
"    fpe(\"the commas are replaced by newlines before writing\"\n"
"        \" to map files.\\en\");\n"
msgstr ""
"static void\n"
"usage(char *pname)\n"
"{\n"
"    fprintf(stderr, \"Utilisation: %s [options] cmd [arg...]\\en\\en\", pname);\n"
"    fprintf(stderr, \"Créer un processus enfant qui exécute une invite \"\n"
"            \"de commandes dans un nouvel espace de noms utilisateur et\\en\"\n"
"            \"éventuellement au moins un nouvel espace de noms.\\en\\en\");\n"
"    fprintf(stderr, \"Les options sont :\\en\\en\");\n"
"#define fpe(str) fprintf(stderr, \"    %s\", str);\n"
"    fpe(\"-i          Nouvel espace de noms IPC\\en\");\n"
"    fpe(\"-m          Nouvel espace de noms de montage\\en\");\n"
"    fpe(\"-n          Nouvel espace de noms réseau \\en\");\n"
"    fpe(\"-p          Nouvel espace de noms PID\\en\");\n"
"    fpe(\"-u          Nouvel espace de noms UTS\\en\");\n"
"    fpe(\"-U          Nouvel espace de noms utilisateur\\en\");\n"
"    fpe(\"-M uid_map  Mappage UID pour l'espace de noms utilisateur\\en\");\n"
"    fpe(\"-G gid_map  Mappage GID pour l'espace de noms utilisateur\\en\");\n"
"    fpe(\"-z          Mappage des UID et GID à 0 dans l'espace de noms\n"
"                     utilisateur\\en\");\n"
"    fpe(\"            (équivalent à : -M \\[aq]0 E<lt>uidE<gt> 1\\[aq] -G \\[aq]0 E<lt>gidE<gt> 1\\[aq])\\en\");\n"
"    fpe(\"-v          Affichage détaillé\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"Si -z, -M, or -G est invoqué, -U doit être précisé.\\en\");\n"
"    fpe(\"Il n'est pas possible d'utiliser -z et soit -M, soit -G.\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"Les chaînes de mappages pour -M et -G se composent\"\n"
"        \"d'enregistrements de la forme :\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"    ID-inside-ns   ID-outside-ns   len\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"Une chaîne de mappage peut contenir plusieurs\"\n"
"        \"enregistrements séparés par des virgules;\\en\");\n"
"    fpe(\"les virgules sont remplacées par des retours à la ligne\"\n"
"        \"avant l'écriture des fichiers de mappage.\\en\");\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    exit(EXIT_FAILURE);\n"
"}\n"
msgstr ""
"    exit(EXIT_FAILURE);\n"
"}\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"/* Update the mapping file \\[aq]map_file\\[aq], with the value provided in\n"
"   \\[aq]mapping\\[aq], a string that defines a UID or GID mapping. A UID or\n"
"   GID mapping consists of one or more newline-delimited records\n"
"   of the form:\n"
msgstr ""
"/* Mise à jour du fichier de mappage \\[aq]map_file\\[aq], avec la valeur fournie\n"
"   dans \\[aq]mapping\\[aq], une chaîne qui définit un mappage d'identifiant\n"
"   utilisateur ou groupe. Un mappage d'identifiant d'utilisateur ou groupe\n"
"   se compose d'un ou plusieurs enregistrements séparés par des retours\n"
"   à la ligne de la forme suivante :\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "       ID_inside-ns    ID-outside-ns   length\n"
msgstr "       ID_dans-Espace    ID-hors-Espace   longueur\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"   Requiring the user to supply a string that contains newlines is\n"
"   of course inconvenient for command-line use. Thus, we permit the\n"
"   use of commas to delimit records in this string, and replace them\n"
"   with newlines before writing the string to the file. */\n"
msgstr ""
"  La nécessité de fournir une chaîne qui contienne des retours\n"
"  à la ligne ne convient pas bien à une utilisation en ligne de commande.\n"
"  C'est pour cette raison que l'utilisation des virgules pour délimiter les\n"
"  champs de la chaîne est autorisée. Celles-ci sont remplacées par des \n"
"  retours à la ligne avant l'écriture de la chaîne dans le fichier. */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static void\n"
"update_map(char *mapping, char *map_file)\n"
"{\n"
"    int fd;\n"
"    size_t map_len;     /* Length of \\[aq]mapping\\[aq] */\n"
msgstr ""
"static void\n"
"update_map(char *mapping, char *map_file)\n"
"{\n"
"    int fd;\n"
"    size_t map_len;     /* Longueur de \\[aq]mapping\\[aq] */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Replace commas in mapping string with newlines. */\n"
msgstr ""
"    /* Remplacer les virgules de la chaîne de mappage \n"
"       par des retours à la ligne */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    map_len = strlen(mapping);\n"
"    for (size_t j = 0; j E<lt> map_len; j++)\n"
"        if (mapping[j] == \\[aq],\\[aq])\n"
"            mapping[j] = \\[aq]\\en\\[aq];\n"
msgstr ""
"    map_len = strlen(mapping);\n"
"    for (size_t j = 0; j E<lt> map_len; j++)\n"
"        if (mapping[j] == \\[aq],\\[aq])\n"
"            mapping[j] = \\[aq]\\en\\[aq];\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    fd = open(map_file, O_RDWR);\n"
"    if (fd == -1) {\n"
"        fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n"
"                strerror(errno));\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""
"    fd = open(map_file, O_RDWR);\n"
"    if (fd == -1) {\n"
"        fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n"
"                strerror(errno));\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (write(fd, mapping, map_len) != map_len) {\n"
"        fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n"
"                strerror(errno));\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""
"    if (write(fd, mapping, map_len) != map_len) {\n"
"        fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n"
"                strerror(errno));\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    close(fd);\n"
"}\n"
msgstr ""
"    close(fd);\n"
"}\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"/* Linux 3.19 made a change in the handling of setgroups(2) and the\n"
"   \\[aq]gid_map\\[aq] file to address a security issue.  The issue allowed\n"
"   *unprivileged* users to employ user namespaces in order to drop groups.\n"
"   The upshot of the 3.19 changes is that in order to update the\n"
"   \\[aq]gid_maps\\[aq] file, use of the setgroups() system call in this\n"
"   user namespace must first be disabled by writing \"deny\" to one of\n"
"   the /proc/PID/setgroups files for this namespace.  That is the\n"
"   purpose of the following function. */\n"
msgstr ""
"/* Linux 3.19 a modifié la gestion de setgroups(2) et le fichier\n"
"   \\[aq]gid_map\\[aq] pour corriger le problème de sécurité. Celui-ci\n"
"   permet aux utilisateurs *non privilégiés* d’employer des espaces de noms\n"
"   utilisateur pour supprimer des groupes. Le résultat des modifications de 3.19\n"
"   est que pour mettre à jour le fichier \\[aq]gid_maps\\[aq],\n"
"   l’utilisation de l’appel système setgroups() dans cet espace de noms\n"
"   utilisateur doit d’abord être désactivée en écrivant « deny » dans\n"
"   un des fichiers /proc/PID/setgroups pour cet espace de noms. C’est\n"
"   le but de la fonction suivante. */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static void\n"
"proc_setgroups_write(pid_t child_pid, char *str)\n"
"{\n"
"    char setgroups_path[PATH_MAX];\n"
"    int fd;\n"
msgstr ""
"static void\n"
"proc_setgroups_write(pid_t child_pid, char *str)\n"
"{\n"
"    char setgroups_path[PATH_MAX];\n"
"    int fd;\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n"
"            (intmax_t) child_pid);\n"
msgstr ""
"    snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n"
"            (intmax_t) child_pid);\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    fd = open(setgroups_path, O_RDWR);\n"
"    if (fd == -1) {\n"
msgstr ""
"    fd = open(setgroups_path, O_RDWR);\n"
"    if (fd == -1) {\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        /* We may be on a system that doesn\\[aq]t support\n"
"           /proc/PID/setgroups. In that case, the file won\\[aq]t exist,\n"
"           and the system won\\[aq]t impose the restrictions that Linux 3.19\n"
"           added. That\\[aq]s fine: we don\\[aq]t need to do anything in order\n"
"           to permit \\[aq]gid_map\\[aq] to be updated.\n"
msgstr ""
"        /* Nous sommes peut être sur un système qui ne gère pas\n"
"           /proc/PID/setgroups. Dans ce cas, le fichier n’existe pas\n"
"           et le système n’impose pas les restrictions que Linux 3.19\n"
"           a ajoutées. Bien, nous n’avons pas besoin de faire quelque\n"
"           chose pour permettre la mise à jour de « gid_map ».\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"           However, if the error from open() was something other than\n"
"           the ENOENT error that is expected for that case,  let the\n"
"           user know. */\n"
msgstr ""
"           Cependant, si l’erreur d’open() était quelque chose autre que\n"
"           l’erreur ENOENT attendue dans ce cas, faisons que l’utilisateur\n"
"           le sache. */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        if (errno != ENOENT)\n"
"            fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n"
"                strerror(errno));\n"
"        return;\n"
"    }\n"
msgstr ""
"        if (errno != ENOENT)\n"
"            fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n"
"                strerror(errno));\n"
"        return;\n"
"    }\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (write(fd, str, strlen(str)) == -1)\n"
"        fprintf(stderr, \"ERROR: write %s: %s\\en\", setgroups_path,\n"
"            strerror(errno));\n"
msgstr ""
"    if (write(fd, str, strlen(str)) == -1)\n"
"        fprintf(stderr, \"ERROR: write %s: %s\\en\", setgroups_path,\n"
"            strerror(errno));\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static int              /* Start function for cloned child */\n"
"childFunc(void *arg)\n"
"{\n"
"    struct child_args *args = arg;\n"
"    char ch;\n"
msgstr ""
"static int              /* Lancer la fonction pour l’enfant cloné */\n"
"childFunc(void *arg)\n"
"{\n"
"    struct child_args *args = arg;\n"
"    char ch;\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Wait until the parent has updated the UID and GID mappings.\n"
"       See the comment in main(). We wait for end of file on a\n"
"       pipe that will be closed by the parent process once it has\n"
"       updated the mappings. */\n"
msgstr ""
"    /* Attendre que le parent ait mis à jour les mappages d'identifiants\n"
"       d'utilisateur et de groupe. Consultez le commentaire de main(). On\n"
"       attend le signal de fin de fichier dans le tube qui sera fermé par le\n"
"       processus parent lorsque les mappages seront mis à jour. */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    close(args-E<gt>pipe_fd[1]);    /* Close our descriptor for the write\n"
"                                   end of the pipe so that we see EOF\n"
"                                   when parent closes its descriptor. */\n"
"    if (read(args-E<gt>pipe_fd[0], &ch, 1) != 0) {\n"
"        fprintf(stderr,\n"
"                \"Failure in child: read from pipe returned != 0\\en\");\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""
"   close(args-E<gt>pipe_fd[1]);    /* Fermer notre descripteur à la fin\n"
"                                   d’écriture du tube afin de présenter EOF\n"
"                                   lorsque le parent ferme son descripteur */\n"
"    if (read(args-E<gt>pipe_fd[0], &ch, 1) != 0) {\n"
"        fprintf(stderr,\n"
"                \"Échec dans l’enfant : donnée renvoyée par le tube != 0\\en\");\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    close(args-E<gt>pipe_fd[0]);\n"
msgstr "    close(args-E<gt>pipe_fd[0]);\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Execute a shell command. */\n"
msgstr "    /* Lancer une commande de shell */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    printf(\"About to exec %s\\en\", args-E<gt>argv[0]);\n"
"    execvp(args-E<gt>argv[0], args-E<gt>argv);\n"
"    err(EXIT_FAILURE, \"execvp\");\n"
"}\n"
msgstr ""
"    printf(\"About to exec %s\\en\", args-E<gt>argv[0]);\n"
"    execvp(args-E<gt>argv[0], args-E<gt>argv);\n"
"    err(EXIT_FAILURE, \"execvp\");\n"
"}\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "#define STACK_SIZE (1024 * 1024)\n"
msgstr "#define STACK_SIZE (1024 * 1024)\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "static char child_stack[STACK_SIZE];    /* Space for child\\[aq]s stack */\n"
msgstr "static char child_stack[STACK_SIZE];    /* Espace pour la pile de l’enfant */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"int\n"
"main(int argc, char *argv[])\n"
"{\n"
"    int flags, opt, map_zero;\n"
"    pid_t child_pid;\n"
"    struct child_args args;\n"
"    char *uid_map, *gid_map;\n"
"    const int MAP_BUF_SIZE = 100;\n"
"    char map_buf[MAP_BUF_SIZE];\n"
"    char map_path[PATH_MAX];\n"
msgstr ""
"int\n"
"main(int argc, char *argv[])\n"
"{\n"
"    int flags, opt, map_zero;\n"
"    pid_t child_pid;\n"
"    struct child_args args;\n"
"    char *uid_map, *gid_map;\n"
"    const int MAP_BUF_SIZE = 100;\n"
"    char map_buf[MAP_BUF_SIZE];\n"
"    char map_path[PATH_MAX];\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Parse command-line options. The initial \\[aq]+\\[aq] character in\n"
"       the final getopt() argument prevents GNU-style permutation\n"
"       of command-line options. That\\[aq]s useful, since sometimes\n"
"       the \\[aq]command\\[aq] to be executed by this program itself\n"
"       has command-line options. We don\\[aq]t want getopt() to treat\n"
"       those as options to this program. */\n"
msgstr ""
"    /* Analyser les options de la ligne de commande. Le caractère\n"
"       « + » initial de l'argument final de getopt() empêche la\n"
"       permutation des options de la ligne de commande de style\n"
"       GNU. Cela peut être utile dans les cas où la « commande »\n"
"       exécutée par le programme lui-même a des options de ligne de\n"
"       commande. Cela évite que getopt() ne traite ces options comme\n"
"       étant celles du programme */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    flags = 0;\n"
"    verbose = 0;\n"
"    gid_map = NULL;\n"
"    uid_map = NULL;\n"
"    map_zero = 0;\n"
"    while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n"
"        switch (opt) {\n"
"        case \\[aq]i\\[aq]: flags |= CLONE_NEWIPC;        break;\n"
"        case \\[aq]m\\[aq]: flags |= CLONE_NEWNS;         break;\n"
"        case \\[aq]n\\[aq]: flags |= CLONE_NEWNET;        break;\n"
"        case \\[aq]p\\[aq]: flags |= CLONE_NEWPID;        break;\n"
"        case \\[aq]u\\[aq]: flags |= CLONE_NEWUTS;        break;\n"
"        case \\[aq]v\\[aq]: verbose = 1;                  break;\n"
"        case \\[aq]z\\[aq]: map_zero = 1;                 break;\n"
"        case \\[aq]M\\[aq]: uid_map = optarg;             break;\n"
"        case \\[aq]G\\[aq]: gid_map = optarg;             break;\n"
"        case \\[aq]U\\[aq]: flags |= CLONE_NEWUSER;       break;\n"
"        default:  usage(argv[0]);\n"
"        }\n"
"    }\n"
msgstr ""
"    flags = 0;\n"
"    verbose = 0;\n"
"    gid_map = NULL;\n"
"    uid_map = NULL;\n"
"    map_zero = 0;\n"
"    while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n"
"        switch (opt) {\n"
"        case \\[aq]i\\[aq]: flags |= CLONE_NEWIPC;        break;\n"
"        case \\[aq]m\\[aq]: flags |= CLONE_NEWNS;         break;\n"
"        case \\[aq]n\\[aq]: flags |= CLONE_NEWNET;        break;\n"
"        case \\[aq]p\\[aq]: flags |= CLONE_NEWPID;        break;\n"
"        case \\[aq]u\\[aq]: flags |= CLONE_NEWUTS;        break;\n"
"        case \\[aq]v\\[aq]: verbose = 1;                  break;\n"
"        case \\[aq]z\\[aq]: map_zero = 1;                 break;\n"
"        case \\[aq]M\\[aq]: uid_map = optarg;             break;\n"
"        case \\[aq]G\\[aq]: gid_map = optarg;             break;\n"
"        case \\[aq]U\\[aq]: flags |= CLONE_NEWUSER;       break;\n"
"        default:  usage(argv[0]);\n"
"        }\n"
"    }\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* -M or -G without -U is nonsensical */\n"
msgstr "    /* -M ou -G sans -U est incohérent */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n"
"                !(flags & CLONE_NEWUSER)) ||\n"
"            (map_zero && (uid_map != NULL || gid_map != NULL)))\n"
"        usage(argv[0]);\n"
msgstr ""
"    if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n"
"                !(flags & CLONE_NEWUSER)) ||\n"
"            (map_zero && (uid_map != NULL || gid_map != NULL)))\n"
"        usage(argv[0]);\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    args.argv = &argv[optind];\n"
msgstr "    args.argv = &argv[optind];\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* We use a pipe to synchronize the parent and child, in order to\n"
"       ensure that the parent sets the UID and GID maps before the child\n"
"       calls execve(). This ensures that the child maintains its\n"
"       capabilities during the execve() in the common case where we\n"
"       want to map the child\\[aq]s effective user ID to 0 in the new user\n"
"       namespace. Without this synchronization, the child would lose\n"
"       its capabilities if it performed an execve() with nonzero\n"
"       user IDs (see the capabilities(7) man page for details of the\n"
"       transformation of a process\\[aq]s capabilities during execve()). */\n"
msgstr ""
"    /* L'utilisation d'un tube pour réaliser la synchronisation du parent et\n"
"       de l’enfant a pour but d'obliger le parent à définir les mappages\n"
"       d'identifiants utilisateur et groupe avant que l’enfant n'appelle\n"
"       execve(). Cela permet d'assurer que l’enfant conserve ses capacités \n"
"       pendant l'exécution de execve() dans le cas classique où l'on souhaite\n"
"       mapper l’identifiant utilisateur effectif de l’enfant avec 0 dans le\n"
"       nouvel espace de noms utilisateur. Sans cette synchronisation, l’enfant\n"
"       perdrait ses capacités s'il effectuait execve() avec un identifiant\n"
"       utilisateur autre que 0 (consultez la page du manuel consacrée\n"
"       à capabilities(7) pour plus de détails sur la modification des capacités\n"
"       d'un processus lors de l'exécution de execve()). */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (pipe(args.pipe_fd) == -1)\n"
"        err(EXIT_FAILURE, \"pipe\");\n"
msgstr ""
"    if (pipe(args.pipe_fd) == -1)\n"
"        err(EXIT_FAILURE, \"pipe\");\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Create the child in new namespace(s). */\n"
msgstr "    /* Création de l’enfant dans le ou les nouveaux espaces de noms. */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    child_pid = clone(childFunc, child_stack + STACK_SIZE,\n"
"                      flags | SIGCHLD, &args);\n"
"    if (child_pid == -1)\n"
"        err(EXIT_FAILURE, \"clone\");\n"
msgstr ""
"    child_pid = clone(childFunc, child_stack + STACK_SIZE,\n"
"                      flags | SIGCHLD, &args);\n"
"    if (child_pid == -1)\n"
"        err(EXIT_FAILURE, \"clone\");\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Parent falls through to here. */\n"
msgstr "    /* Le parent se retrouve ici. */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (verbose)\n"
"        printf(\"%s: PID of child created by clone() is %jd\\en\",\n"
"                argv[0], (intmax_t) child_pid);\n"
msgstr ""
"    if (verbose)\n"
"        printf(\"%s: le PID de l’enfant créé par clone() est %jd\\en\",\n"
"                argv[0], (intmax_t) child_pid);\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Update the UID and GID maps in the child. */\n"
msgstr "    /* Mise à jour des mappages de l'UID et du PID pour l’enfant. */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (uid_map != NULL || map_zero) {\n"
"        snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n"
"                (intmax_t) child_pid);\n"
"        if (map_zero) {\n"
"            snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n"
"                    (intmax_t) getuid());\n"
"            uid_map = map_buf;\n"
"        }\n"
"        update_map(uid_map, map_path);\n"
"    }\n"
msgstr ""
"    if (uid_map != NULL || map_zero) {\n"
"        snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n"
"                (intmax_t) child_pid);\n"
"        if (map_zero) {\n"
"            snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n"
"                    (intmax_t) getuid());\n"
"            uid_map = map_buf;\n"
"        }\n"
"        update_map(uid_map, map_path);\n"
"    }\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (gid_map != NULL || map_zero) {\n"
"        proc_setgroups_write(child_pid, \"deny\");\n"
msgstr ""
"    if (gid_map != NULL || map_zero) {\n"
"        proc_setgroups_write(child_pid, \"deny\");\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n"
"                (intmax_t) child_pid);\n"
"        if (map_zero) {\n"
"            snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n"
"                    (intmax_t) getgid());\n"
"            gid_map = map_buf;\n"
"        }\n"
"        update_map(gid_map, map_path);\n"
"    }\n"
msgstr ""
"        snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n"
"                (intmax_t) child_pid);\n"
"        if (map_zero) {\n"
"            snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n"
"                    (intmax_t) getgid());\n"
"            gid_map = map_buf;\n"
"        }\n"
"        update_map(gid_map, map_path);\n"
"    }\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Close the write end of the pipe, to signal to the child that we\n"
"       have updated the UID and GID maps. */\n"
msgstr ""
"    /* Fermer le côté écriture du tube afin d'indiquer à l’enfant\n"
"       que les mappages d'UID et de GID ont été mis à jour */\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    close(args.pipe_fd[1]);\n"
msgstr "    close(args.pipe_fd[1]);\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (waitpid(child_pid, NULL, 0) == -1)      /* Wait for child */\n"
"        err(EXIT_FAILURE, \"waitpid\");\n"
msgstr ""
"    if (waitpid(child_pid, NULL, 0) == -1)      /* Attente de l’enfant */\n"
"        err(EXIT_FAILURE, \"waitpid\");\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (verbose)\n"
"        printf(\"%s: terminating\\en\", argv[0]);\n"
msgstr ""
"    if (verbose)\n"
"        printf(\"%s: fin d'exécution\\en\", argv[0]);\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    exit(EXIT_SUCCESS);\n"
"}\n"
msgstr ""
"    exit(EXIT_SUCCESS);\n"
"}\n"

#. type: TH
#: debian-unstable opensuse-tumbleweed
#, no-wrap
msgid "2023-05-03"
msgstr "3 mai 2023"

#. type: TH
#: debian-unstable opensuse-tumbleweed
#, no-wrap
msgid "Linux man-pages 6.05.01"
msgstr "Pages du manuel de Linux 6.05.01"

#. type: TH
#: opensuse-leap-15-6
#, no-wrap
msgid "2023-04-01"
msgstr "1 avril 2023"

#. type: TH
#: opensuse-leap-15-6
#, no-wrap
msgid "Linux man-pages 6.04"
msgstr "Pages du manuel de Linux 6.04"