# Russian translation of manpages # This file is distributed under the same license as the manpages-l10n package. # Copyright © of this file: # Azamat Hackimov , 2013, 2016. # Dmitriy Ovchinnikov , 2012. # Dmitry Bolkhovskikh , 2017. # Katrin Kutepova , 2018. # Yuri Kozlov , 2011-2019. # Иван Павлов , 2017. msgid "" msgstr "" "Project-Id-Version: manpages-l10n\n" "POT-Creation-Date: 2024-03-01 17:13+0100\n" "PO-Revision-Date: 2019-10-15 18:59+0300\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" "Language: ru\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=4; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && " "n%10<=4 && (n%100<12 || n%100>14) ? 1 : n%10==0 || (n%10>=5 && n%10<=9) || " "(n%100>=11 && n%100<=14)? 2 : 3);\n" "X-Generator: Lokalize 2.0\n" #. type: TH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy, no-wrap #| msgid "See B(7)." msgid "user_namespaces" msgstr "См. B(7)." #. type: TH #: archlinux fedora-40 fedora-rawhide mageia-cauldron #, no-wrap msgid "2023-10-31" msgstr "31 октября 2023 г." #. type: TH #: archlinux fedora-40 fedora-rawhide mageia-cauldron #, no-wrap msgid "Linux man-pages 6.06" msgstr "Linux man-pages 6.06" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "NAME" msgstr "ИМЯ" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "user_namespaces - overview of Linux user namespaces" msgstr "user_namespaces - обзор пользовательских пространств имён Linux" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "DESCRIPTION" msgstr "ОПИСАНИЕ" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "For an overview of namespaces, see B(7)." msgstr "Обзор пространств имён смотрите в B(7)." #. FIXME: This page says very little about the interaction #. of user namespaces and keys. Add something on this topic. #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "User namespaces isolate security-related identifiers and attributes, in " "particular, user IDs and group IDs (see B(7)), the root " "directory, keys (see B(7)), and capabilities (see " "B(7)). A process's user and group IDs can be different inside " "and outside a user namespace. In particular, a process can have a normal " "unprivileged user ID outside a user namespace while at the same time having " "a user ID of 0 inside the namespace; in other words, the process has full " "privileges for operations inside the user namespace, but is unprivileged for " "operations outside the namespace." msgstr "" "Пользовательские пространства имён изолируют идентификаторы и атрибуты " "безопасности, в частности ID пользователя и ID группы (смотрите " "B(7)), корневой каталог, ключи (смотрите B(7)) и " "мандаты (смотрите B(7)). Идентификаторы пользователя и группы " "процесса могут отличаться внутри и снаружи пользовательского пространства " "имён. В частности, процесс может иметь обычный бесправный пользовательский " "ID снаружи и ID равный 0 внутри пространства имён; другими словами, процесс " "имеет доступ ко всем операциям внутри пользовательского пространства имён, " "но не имеет доступа к привилегированным операциям вне пространства имён." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Nested namespaces, namespace membership" msgstr "Вложенные пространства имён, членство пространств имён" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "User namespaces can be nested; that is, each user namespace\\(emexcept " #| "the initial (\"root\") namespace\\(emhas a parent user namespace, and " #| "can have zero or more child user namespaces. The parent user namespace " #| "is the user namespace of the process that creates the user namespace via " #| "a call to B(2) or B(2) with the B flag." msgid "" "User namespaces can be nested; that is, each user namespace\\[em]except the " "initial (\"root\") namespace\\[em]has a parent user namespace, and can have " "zero or more child user namespaces. The parent user namespace is the user " "namespace of the process that creates the user namespace via a call to " "B(2) or B(2) with the B flag." msgstr "" "Пользовательские пространства имён могут быть вложенными, то есть каждое " "пользовательское пространство имён — за исключением первого («корневого») — " "имеет родительское пространство имён и может иметь ноль или более дочерних " "пространств имён. Родительское пространство имён — это пользовательское " "пространство имён процесса, которое создаётся с помощью вызова B(2) " "или B(2) с флагом B." #. commit 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 #. FIXME Explain the rationale for this limit. (What is the rationale?) #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "The kernel imposes (since version 3.11) a limit of 32 nested levels of " #| "user namespaces. Calls to B(2) or B(2) that would " #| "cause this limit to be exceeded fail with the error B." msgid "" "The kernel imposes (since Linux 3.11) a limit of 32 nested levels of user " "namespaces. Calls to B(2) or B(2) that would cause this " "limit to be exceeded fail with the error B." msgstr "" "Ядро ограничивает (начиная с версии 3.11) глубину вложенности " "пользовательских пространств имён 32 уровнями. Вызовы B(2) или " "B(2), которые бы превысили это ограничение, завершаются с ошибкой " "B." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Each process is a member of exactly one user namespace. A process created " "via B(2) or B(2) without the B flag is a " "member of the same user namespace as its parent. A single-threaded process " "can join another user namespace with B(2) if it has the " "B in that namespace; upon doing so, it gains a full set of " "capabilities in that namespace." msgstr "" "Каждый процесс является членом только одного пользовательского пространства " "имён. Процесс, созданный с помощью B(2) или B(2) без флага " "B, является членом того же пользовательского пространства " "имён что и его родитель. Однонитевой процесс может перейти в другое " "пользовательское пространство имён с помощью B(2), если в этом " "пространстве у него есть мандат B; после перехода он получает " "полный набор мандатов в этом пространстве имён." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A call to B(2) or B(2) with the B flag " "makes the new child process (for B(2)) or the caller (for " "B(2)) a member of the new user namespace created by the call." msgstr "" "Вызов B(2) или B(2) с флагом B делает новый " "дочерний (для B(2)) или вызвавший (для B(2)) процесс членом " "нового пользовательского пространства имён, создаваемого вызовом." #. #-#-#-#-# archlinux: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #. #-#-#-#-# debian-bookworm: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. ============================================================ #. type: Plain text #. #-#-#-#-# debian-unstable: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #. #-#-#-#-# fedora-40: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #. #-#-#-#-# fedora-rawhide: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #. #-#-#-#-# mageia-cauldron: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #. #-#-#-#-# opensuse-leap-15-6: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #. #-#-#-#-# opensuse-tumbleweed: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The B B(2) operation can be used to discover the " "parental relationship between user namespaces; see B(2)." msgstr "" "Операцию B B(2) можно использовать для обнаружения " "родительской связи между пространствами имён пользователя; смотрите " "B(2)." # #. ============================================================ #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A task that changes one of its effective IDs will have its dumpability reset " "to the value in I. This may affect the " "ownership of proc files of child processes and may thus cause the parent to " "lack the permissions to write to mapping files of child processes running in " "a new user namespace. In such cases making the parent process dumpable, " "using B in a call to B(2), before creating a child " "process in a new user namespace may rectify this problem. See B(2) " "and B(5) for details on how ownership is affected." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Capabilities" msgstr "Мандаты" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The child process created by B(2) with the B flag " "starts out with a complete set of capabilities in the new user namespace. " "Likewise, a process that creates a new user namespace using B(2) " "or joins an existing user namespace using B(2) gains a full set of " "capabilities in that namespace. On the other hand, that process has no " "capabilities in the parent (in the case of B(2)) or previous (in the " "case of B(2) and B(2)) user namespace, even if the new " "namespace is created or joined by the root user (i.e., a process with user " "ID 0 in the root namespace)." msgstr "" "Дочерний процесс, созданный B(2) с флагом B, " "запускается в новом пользовательском пространстве имён с полным набором " "мандатов. Аналогично, процесс, создающий новое пользовательское пространство " "имён с помощью B(2) или переходящий в существующее пользовательское " "пространство имён с помощью B(2), получает полный набор мандатов в " "этом пространстве имён. С другой стороны, этот процесс не имеет мандатов в " "родительском (в случае B(2)) или предыдущем (в случае B(2) и " "B(2)) пользовательском пространстве имён, даже если новое " "пространство имён создано или переход осуществлялся суперпользователем (т. " "е., процесс с ID пользователя 0 в корневом пространстве имён)." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that a call to B(2) will cause a process's capabilities to be " "recalculated in the usual way (see B(7)). Consequently, " "unless the process has a user ID of 0 within the namespace, or the " "executable file has a nonempty inheritable capabilities mask, the process " "will lose all capabilities. See the discussion of user and group ID " "mappings, below." msgstr "" "Заметим, что вызов B(2) приводит к пересчёту мандатов процесса " "обычным порядком (смотрите B(7)). Следовательно, если ID " "пользователя процесс не равно 0 внутри пространства имён или исполняемый " "файл имеет непустую маску наследования мандатов, то процесс теряет все " "мандаты. Смотрите описание отображения пользовательских и групповых ID далее." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "A call to B(2), B(2), or B(2) using the " #| "B flag sets the \"securebits\" flags (see " #| "B(7)) to their default values (all flags disabled) in the " #| "child (for B(2)) or caller (for B(2), or B(2)). " #| "Note that because the caller no longer has capabilities in its original " #| "user namespace after a call to B(2), it is not possible for a " #| "process to reset its \"securebits\" flags while retaining its user " #| "namespace membership by using a pair of B(2) calls to move to " #| "another user namespace and then return to its original user namespace." msgid "" "A call to B(2) or B(2) using the B flag or " "a call to B(2) that moves the caller into another user namespace " "sets the \"securebits\" flags (see B(7)) to their default " "values (all flags disabled) in the child (for B(2)) or caller (for " "B(2) or B(2)). Note that because the caller no longer has " "capabilities in its original user namespace after a call to B(2), it " "is not possible for a process to reset its \"securebits\" flags while " "retaining its user namespace membership by using a pair of B(2) " "calls to move to another user namespace and then return to its original user " "namespace." msgstr "" "Вызов B(2), B(2) или B(2) с флагом B " "устанавливает флаги «securebits» (смотрите B(7)) в их значения " "по умолчанию (все флаги сброшены) в потомке (для B(2)) или вызывающем " "(для B(2) или B(2)). Заметим, что из-то того, что вызывающий " "больше не имеет мандатов в своём первоначальном пользовательском " "пространстве имён после вызова B(2), невозможно у процесса сбросить " "его флаги «securebits», хотя удержать своё членство в пользовательском " "пространстве имён можно с помощью пары вызовов B(2) — сначала " "переместиться в другое пользовательское пространство имён и затем вернуться " "в своё первоначальное пользовательское пространство имён." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The rules for determining whether or not a process has a capability in a " "particular user namespace are as follows:" msgstr "" "Правила определения наличия мандата у процесса в определённом " "пользовательском пространстве имён следующие:" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "\\[bu]" msgstr "\\[bu]" #. In the 3.8 sources, see security/commoncap.c::cap_capable(): #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A process has a capability inside a user namespace if it is a member of that " "namespace and it has the capability in its effective capability set. A " "process can gain capabilities in its effective capability set in various " "ways. For example, it may execute a set-user-ID program or an executable " "with associated file capabilities. In addition, a process may gain " "capabilities via the effect of B(2), B(2), or B(2), " "as already described." msgstr "" "Процесс имеет мандат внутри пользовательского пространства имён, если он " "является членом этого пространства имён и имеет мандат в своём наборе " "эффективных мандатов. Процесс может получить мандаты в своём наборе " "эффективных мандатов различными способами. Например, он может запустить " "программу с битом set-user-ID или исполняемый файл, имеющий мандаты файла. " "Также процесс может получить мандаты при выполнении B(2), " "B(2) или B(2), как описывалось ранее." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If a process has a capability in a user namespace, then it has that " "capability in all child (and further removed descendant) namespaces as well." msgstr "" "Если процесс имеет мандат в пользовательском пространстве имён, то он также " "имеет этот мандат во всех дочерних (и позже удалённых потомках) " "пространствах имён." #. * The owner of the user namespace in the parent of the #. * user namespace has all caps. #. (and likewise associates the effective group ID of the creating process #. with the namespace). #. See kernel commit 520d9eabce18edfef76a60b7b839d54facafe1f9 for a fix #. on this point #. This includes the case where the process executes a set-user-ID #. program that confers the effective UID of the creator of the namespace. #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a user namespace is created, the kernel records the effective user ID " "of the creating process as being the \"owner\" of the namespace. A process " "that resides in the parent of the user namespace and whose effective user ID " "matches the owner of the namespace has all capabilities in the namespace. " "By virtue of the previous rule, this means that the process has all " "capabilities in all further removed descendant user namespaces as well. The " "B B(2) operation can be used to discover the user " "ID of the owner of the namespace; see B(2)." msgstr "" "При создании пользовательского пространства имён ядро записывает эффективный " "пользовательский ID создающего процесса как «владельца» пространства имён. " "Процесс, располагающийся в родительском пространстве имён пользовательского " "пространства имён и чей эффективный пользовательский ID совпадает с " "владельцем пространства имён, имеет все мандаты в пространстве имён. " "Предыдущее правило означает, что у процесса также есть все мандаты во всех в " "последствии удалённых потомках пользовательских пространств имён. Для " "обнаружения идентификатора пользователя-владельца пространства имён можно " "использовать операцию B вызова B(2); смотрите " "B(2)." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Effect of capabilities within a user namespace" msgstr "Влияние мандатов внутри пространства имён пользователя" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Having a capability inside a user namespace permits a process to perform " "operations (that require privilege) only on resources governed by that " "namespace. In other words, having a capability in a user namespace permits " "a process to perform privileged operations on resources that are governed by " "(nonuser) namespaces owned by (associated with) the user namespace (see the " "next subsection)." msgstr "" "Наличие мандата внутри пространства имён пользователя разрешает процессу " "выполнять операции (требующие привилегий) с ресурсами, управляемыми только " "этим пространством имён. Иначе говоря, наличие мандата в пользовательском " "пространстве имён разрешает процессу выполнять привилегированные операции с " "ресурсами, которые управляются (не пользовательскими) пространствами имён, " "принадлежащими (связанными с) пространству имён пользователя (смотрите " "следующий подраздел)." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "On the other hand, there are many privileged operations that affect " #| "resources that are not associated with any namespace type, for example, " #| "changing the system time (governed by B), loading a kernel " #| "module (governed by B), and creating a device (governed " #| "by B). Only a process with privileges in the I user " #| "namespace can perform such operations." msgid "" "On the other hand, there are many privileged operations that affect " "resources that are not associated with any namespace type, for example, " "changing the system (i.e., calendar) time (governed by B), " "loading a kernel module (governed by B), and creating a " "device (governed by B). Only a process with privileges in the " "I user namespace can perform such operations." msgstr "" "С другой стороны, существует много привилегированных операций, которые " "влияют на ресурсы не связанные с каким-либо типом пространства имён, " "например, изменение системного времени (регулируется B), " "загрузка модуля ядра (регулируется B) и создание устройства " "(регулируется B). Такие операции может выполнять только процесс с " "привилегиями в I<начальном> пользовательском пространстве имён." #. fs_flags = FS_USERNS_MOUNT in kernel sources #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Holding B within the user namespace that owns a process's " "mount namespace allows that process to create bind mounts and mount the " "following types of filesystems:" msgstr "" "Наличие B внутри пользовательского пространства имён, " "принадлежащему пространству имён монтирования процесса, позволяет этому " "процессу создавать привязки монтирования и монтировать следующие типы " "файловых систем:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 3.8)" msgstr "I (начиная с Linux 3.8)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 3.8)" msgstr "I (начиная с Linux 3.8)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 3.9)" msgstr "I (начиная с Linux 3.9)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "B(5) (since Linux 3.9)" msgstr "B(5) (начиная с Linux 3.9)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 3.9)" msgstr "I (начиная с Linux 3.9)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 3.9)" msgstr "I (начиная с Linux 3.9)" #. commit b2197755b2633e164a439682fb05a9b5ea48f706 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 4.4)" msgstr "I (начиная с Linux 4.4)" #. commit 92dbc9dedccb9759c7f9f2f0ae6242396376988f #. commit 4cb2c00c43b3fe88b32f29df4f76da1b92c33224 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 5.11)" msgstr "I (начиная с Linux 5.11)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Holding B within the user namespace that owns a process's " "cgroup namespace allows (since Linux 4.6) that process to the mount the " "cgroup version 2 filesystem and cgroup version 1 named hierarchies (i.e., " "cgroup filesystems mounted with the I<\"none,name=\"> option)." msgstr "" "Наличие B внутри пользовательского пространства имён, " "принадлежащему пространству имён cgroup процесса, позволяет (начиная с Linux " "4.6) этому процессу монтировать именованные иерархии файловой системы cgroup " "версии 2 и cgroup версии 1 (т. е., файловые системы cgroup, монтируемые с " "параметром I<\"none,name=\">)." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Holding B within the user namespace that owns a process's PID " "namespace allows (since Linux 3.8) that process to mount I " "filesystems." msgstr "" "Наличие B внутри пользовательского пространства имён, " "принадлежащему пространству имён PID процесса, позволяет (начиная с Linux " "3.8) этому процессу монтировать файловые системы I." #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note, however, that mounting block-based filesystems can be done only by a " "process that holds B in the initial user namespace." msgstr "" "Однако заметим, что монтирование блочных файловых систем может производиться " "только процессом, имеющим B в начальном пространстве имён " "пользователя." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Interaction of user namespaces and other types of namespaces" msgstr "Взаимодействие между пользовательскими и другими типами пространств имён" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Starting in Linux 3.8, unprivileged processes can create user namespaces, " "and the other types of namespaces can be created with just the " "B capability in the caller's user namespace." msgstr "" "Начиная с Linux 3.8, непривилегированные процессы могут создавать " "пользовательские пространства имён, а для создания пространств имён других " "типов требуется мандат B в пользовательском пространстве имён " "вызывающего." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a nonuser namespace is created, it is owned by the user namespace in " "which the creating process was a member at the time of the creation of the " "namespace. Privileged operations on resources governed by the nonuser " "namespace require that the process has the necessary capabilities in the " "user namespace that owns the nonuser namespace." msgstr "" "После создания не пользовательского пространства имён оно принадлежит " "пользовательскому пространству имён, в котором на момент создания " "пространства имён создающий процесс являлся членом. Для привилегированных " "операций над ресурсами, управляемыми не пользовательским пространством имён, " "от процесса требуется иметь мандаты в пользовательском пространстве имён, " "которому принадлежит не пользовательское пространство имён." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If B is specified along with other B flags in a " "single B(2) or B(2) call, the user namespace is guaranteed " "to be created first, giving the child (B(2)) or caller " "(B(2)) privileges over the remaining namespaces created by the " "call. Thus, it is possible for an unprivileged caller to specify this " "combination of flags." msgstr "" "Если вместе с флагами B указан флаг B в вызове " "B(2) или B(2), то пользовательское пространство имён " "гарантированно создаётся первым, давая потомку (B(2)) или вызывающему " "(B(2)) права на остальные пространства имён, создаваемые вызовом. " "Даже бесправный вызывающий может задать такую комбинацию флагов." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a new namespace (other than a user namespace) is created via " "B(2) or B(2), the kernel records the user namespace of the " "creating process as the owner of the new namespace. (This association can't " "be changed.) When a process in the new namespace subsequently performs " "privileged operations that operate on global resources isolated by the " "namespace, the permission checks are performed according to the process's " "capabilities in the user namespace that the kernel associated with the new " "namespace. For example, suppose that a process attempts to change the " "hostname (B(2)), a resource governed by the UTS namespace. In " "this case, the kernel will determine which user namespace owns the process's " "UTS namespace, and check whether the process has the required capability " "(B) in that user namespace." msgstr "" "При создании нового пространства имён (не пользовательского пространства " "имён) посредством B(2) или B(2), ядро записывает " "пользовательское пространство имён создающего процесса как владельца нового " "пространства имён (эту связь нельзя изменить). Когда процесс в новом " "пространстве имён в дальнейшем выполняет привилегированные операции, которые " "работают с глобальными ресурсами, изолированными пространством имён, " "выполняется проверка прав согласно мандатам процесса в пользовательском " "пространстве имён, которое ядро связало с новым пространством имён. " "Например, предположим, что процесс пытается изменить имя узла " "(B(2)) — ресурс, управляемый пространство имён UTS. В этом " "случае, ядро будет искать пространство имён пользователя, принадлежащее " "пространству имён UTS процесса, и проверять что процесс имеет необходимый " "мандат (B) в этом пространстве имён пользователя." #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The B B(2) operation can be used to discover the user " "namespace that owns a nonuser namespace; see B(2)." msgstr "" "Операцию B B(2) можно использовать для обнаружения " "пространства имён пользователя, которое владеет не пользовательским " "пространством имён; смотрите B(2)." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "User and group ID mappings: uid_map and gid_map" msgstr "Отображение идентификаторов пользователей и групп: uid_map и gid_map" #. commit 22d917d80e842829d0ca0a561967d728eb1d6303 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a user namespace is created, it starts out without a mapping of user " "IDs (group IDs) to the parent user namespace. The IpidI " "and IpidI files (available since Linux 3.5) expose the " "mappings for user and group IDs inside the user namespace for the process " "I. These files can be read to view the mappings in a user namespace " "and written to (once) to define the mappings." msgstr "" "В новом созданном пользовательском пространстве имён отсутствует отображение " "пользовательских ID (ID групп) в родительское пользовательское пространство. " "Файл IpidI и IpidI (доступны начиная с " "Linux 3.5) предоставляют отображения пользовательских и групповых ID внутри " "пользовательского пространства имён для процесса I. Эти файлы можно " "читать для просмотра отображений в пользовательском пространстве имён и " "писать (однократно) для определения отображений." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The description in the following paragraphs explains the details for " "I; I is exactly the same, but each instance of \"user ID\" " "is replaced by \"group ID\"." msgstr "" "В следующих параграфах объясняется формат I; I имеет тот " "же формат, но каждый экземпляр «ID пользователя» заменяется на «ID группы»." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The I file exposes the mapping of user IDs from the user namespace " "of the process I to the user namespace of the process that opened " "I (but see a qualification to this point below). In other words, " "processes that are in different user namespaces will potentially see " "different values when reading from a particular I file, depending " "on the user ID mappings for the user namespaces of the reading processes." msgstr "" "Файл I предоставляет отображение пользовательских ID из " "пользовательского пространства имён процесса I в пользовательское " "пространство имён процесса, который открыл I (но смотрите уточнение " "далее). Другими словами, процессы, которые находятся в разных " "пользовательских пространствах имён, возможно будут видеть разные значения " "при чтении соответствующего файла I, в зависимости от отображений " "пользовательских ID у пользовательских пространств имён читающего процесса." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Each line in the I file specifies a 1-to-1 mapping of a range of " "contiguous user IDs between two user namespaces. (When a user namespace is " "first created, this file is empty.) The specification in each line takes " "the form of three numbers delimited by white space. The first two numbers " "specify the starting user ID in each of the two user namespaces. The third " "number specifies the length of the mapped range. In detail, the fields are " "interpreted as follows:" msgstr "" "Каждая строка в файле I определяет отображение 1-в-1 непрерывного " "диапазона пользовательских ID между двумя пользовательскими пространствами " "имён (при создании пользовательского пространства имён этот файл пуст). В " "каждой строке содержится три числа через пробел. Первые два числа определяют " "начальный пользовательский ID в каждом из двух пользовательских пространств " "имён. Третье число определяет длину отображаемого диапазона. Эти поля " "рассматриваются так:" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "(1)" msgstr "(1)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The start of the range of user IDs in the user namespace of the process " "I." msgstr "" "Начало диапазона пользовательских ID в пользовательском пространстве имён " "процесса I." #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "(2)" msgstr "(2)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The start of the range of user IDs to which the user IDs specified by field " "one map. How field two is interpreted depends on whether the process that " "opened I and the process I are in the same user namespace, as " "follows:" msgstr "" "Начало диапазона пользовательских ID, на который отображаются " "пользовательские ID, указанные в первом поле. Интерпретация второго поля " "зависит от того, находится ли процесс, открывший I, и процесс " "I, в одном пользовательском пространстве имён:" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "(a)" msgstr "(а)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If the two processes are in different user namespaces: field two is the " "start of a range of user IDs in the user namespace of the process that " "opened I." msgstr "" "Если два процесса находятся в разных пользовательских пространствах имён: " "поле два — начало диапазона пользовательских ID в пользовательском " "пространстве имён процесса, который открыл I." #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "(b)" msgstr "(б)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If the two processes are in the same user namespace: field two is the start " "of the range of user IDs in the parent user namespace of the process " "I. This case enables the opener of I (the common case here is " "opening I) to see the mapping of user IDs into the user " "namespace of the process that created this user namespace." msgstr "" "Если два процесса находятся в одном пользовательском пространстве имён: поле " "два — начало диапазона пользовательских ID в родительском пользовательском " "пространстве имён процесса I. Это позволяет открывшему I " "(обычно открывают I) видеть отображение пользовательских " "ID в пользовательском пространстве имён процесса, создавшего это " "пользовательское пространство имён." #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "(3)" msgstr "(3)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The length of the range of user IDs that is mapped between the two user " "namespaces." msgstr "" "Длина диапазона пользовательских ID, выполняющего отображение между двумя " "пользовательскими пространствами имён." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "System calls that return user IDs (group IDs)\\(emfor example, " #| "B(2), B(2), and the credential fields in the structure " #| "returned by B(2)\\(emreturn the user ID (group ID) mapped into the " #| "caller's user namespace." msgid "" "System calls that return user IDs (group IDs)\\[em]for example, " "B(2), B(2), and the credential fields in the structure " "returned by B(2)\\[em]return the user ID (group ID) mapped into the " "caller's user namespace." msgstr "" "Системные вызовы, возвращающие пользовательские ID (ID групп), например, " "B(2), B(2), и мандатные поля в структуре, возвращаемой " "B(2), возвращают пользовательский ID (ID группы), отображённый в " "пользовательском пространстве имён вызывающего." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a process accesses a file, its user and group IDs are mapped into the " "initial user namespace for the purpose of permission checking and assigning " "IDs when creating a file. When a process retrieves file user and group IDs " "via B(2), the IDs are mapped in the opposite direction, to produce " "values relative to the process user and group ID mappings." msgstr "" "Когда процесс обращается к файлу, его ID пользователя и группы отображаются " "в начальном пользовательском пространстве имён с целью проверки прав доступа " "и назначенного ID при создании файла. Когда процесс получает ID пользователя " "и группы файла через B(2), то ID отображаются в обратном направлении, " "для создания значений, относительно отображений ID пользователя и группы " "процесса." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The initial user namespace has no parent namespace, but, for consistency, " "the kernel provides dummy user and group ID mapping files for this " "namespace. Looking at the I file (I is the same) from a " "shell in the initial namespace shows:" msgstr "" "Начальное пользовательское пространство имён не имеет родительского " "пространства имён, но для однородности, для него ядро предоставляет " "фиктивные файлы отображения ID пользователей и групп. Посмотрим на файл " "I (в I тоже самое) из оболочки в начальном пространстве " "имён:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "$ B\n" " 0 0 4294967295\n" msgstr "" "$ B\n" " 0 0 4294967295\n" #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This mapping tells us that the range starting at user ID 0 in this namespace " "maps to a range starting at 0 in the (nonexistent) parent namespace, and the " "length of the range is the largest 32-bit unsigned integer. This leaves " "4294967295 (the 32-bit signed -1 value) unmapped. This is deliberate: " "I<(uid_t)\\~-1> is used in several interfaces (e.g., B(2)) as a " "way to specify \"no user ID\". Leaving I<(uid_t)\\~-1> unmapped and " "unusable guarantees that there will be no confusion when using these " "interfaces." msgstr "" "Данное отображение показывает, что диапазон начинающийся с пользовательского " "ID 0 в этом пространстве имён, отображается в диапазон, начинающийся, с 0, в " "(несуществующее) родительское пространство имён, и длина диапазона равна " "самому большому 32-битному беззнаковому целому. Значение 4294967295 (32-" "битное знаковое значение -1) оставлено без отображения. Предназначение: " "I<(uid_t)\\~-\\1> используется в некоторых интерфейсах (например, " "B(2)) для указания «отсутствия ID пользователя». Оставление " "I<(uid_t)\\~-\\1> без отображения и его не использование гарантирует, что " "при использовании этих интерфейсов не будет проблем)." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Defining user and group ID mappings: writing to uid_map and gid_map" msgstr "Отображение идентификаторов пользователей и групп: запись в uid_map и gid_map" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "After the creation of a new user namespace, the I file of I of " "the processes in the namespace may be written to I to define the " "mapping of user IDs in the new user namespace. An attempt to write more " "than once to a I file in a user namespace fails with the error " "B. Similar rules apply for I files." msgstr "" "После создания нового пользовательского пространства имён в файл I " "I<один> из процессов в пространстве имён может выполнить I<однократную> " "запись для определения отображения пользовательских ID в новом " "пользовательском пространстве имён. Повторная попытка записи в файл " "I в пользовательском пространстве имён завершится с ошибкой " "B. Эти же правила применимы к файлам I." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "The lines written to I (I) must conform to the " #| "following rules:" msgid "" "The lines written to I (I) must conform to the following " "validity rules:" msgstr "" "Записываемые в I (I) строки должны соответствовать " "следующим правилам:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The three fields must be valid numbers, and the last field must be greater " "than 0." msgstr "" "В трёх полях должны быть корректные числа и последнее поле должно быть " "больше 0." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Lines are terminated by newline characters." msgstr "Строки заканчиваются символами новой строки." #. 5*12-byte records could fit in a 64B cache line #. commit 6397fac4915ab3002dc15aae751455da1a852f25 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "There is a limit on the number of lines in the file. In Linux 4.14 and " "earlier, this limit was (arbitrarily) set at 5 lines. Since Linux 4.15, " "the limit is 340 lines. In addition, the number of bytes written to the " "file must be less than the system page size, and the write must be performed " "at the start of the file (i.e., B(2) and B(2) can't be used " "to write to nonzero offsets in the file)." msgstr "" "Существует ограничение на количество строк в файле. В Linux 4.14 и старее " "оно установлено (произвольно) равным пятью строкам. Начиная с Linux 4.14 его " "значение равно 340 строкам. Также, количество байт, записываемых в файл, " "должно быть меньше размера системной страницы, и запись должна выполняться в " "начало файла (т. е., нельзя использовать B(2) и B(2) для " "записи в файл при ненулевом смещении)." #. commit 0bd14b4fd72afd5df41e9fd59f356740f22fceba #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The range of user IDs (group IDs) specified in each line cannot overlap " "with the ranges in any other lines. In the initial implementation (Linux " "3.8), this requirement was satisfied by a simplistic implementation that " "imposed the further requirement that the values in both field 1 and field 2 " "of successive lines must be in ascending numerical order, which prevented " "some otherwise valid maps from being created. Linux 3.9 and later fix this " "limitation, allowing any valid set of nonoverlapping maps." msgstr "" "Диапазон пользовательских ID (групповых ID), указанный в каждой строке, не " "должен перекрываться с диапазонами в других строках. В первой реализации " "(Linux 3.8) это требование удовлетворялось простейшим способом, который " "задавал другое требование: значения в полях 1 и 2 следующих одна за одной " "строк, должны увеличиваться, что не давало создавать некоторые корректные " "отображения. В Linux 3.9 и новее это ограничение было снято, и допустим " "любой набор не перекрывающихся отображений." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "At least one line must be written to the file." msgstr "В файл должна быть записана, как минимум, одна строка." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Writes that violate the above rules fail with the error B." msgstr "" "Попытки записи, нарушающие перечисленные выше правила, завершаются с ошибкой " "B." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "In order for a process to write to the I (I) file, all of the following requirements must be met:" msgid "" "In order for a process to write to the IpidI (IpidI) file, all of the following permission requirements must be " "met:" msgstr "" "Чтобы процесс мог записывать в файл I (I) должны быть удовлетворены все условия:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The writing process must have the B (B) capability " "in the user namespace of the process I." msgstr "" "Записывающий процесс должен иметь мандат B (B) в " "пользовательском пространстве имён процесса I." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The writing process must either be in the user namespace of the process " "I or be in the parent user namespace of the process I." msgstr "" "Записывающий процесс должен находиться в пользовательском пространстве имён " "процесса I или быть родительским пользовательским пространством имён " "процесса I." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The mapped user IDs (group IDs) must in turn have a mapping in the parent " "user namespace." msgstr "" "Отображаемые пользовательские ID (групповые ID) должны иметь соответствующее " "отображение в родительском пользовательском пространстве имён." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If updating IpidI to create a mapping that maps UID 0 in " "the parent namespace, then one of the following must be true:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "The writing process must have the B (B) " #| "capability in the user namespace of the process I." msgid "" "if writing process is in the parent user namespace, then it must have the " "B capability in that user namespace; or" msgstr "" "Записывающий процесс должен иметь мандат B (B) в " "пользовательском пространстве имён процесса I." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "if the writing process is in the child user namespace, then the process that " "created the user namespace must have had the B capability when " "the namespace was created." msgstr "" #. commit db2e718a47984b9d71ed890eb2ea36ecf150de18 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This rule has been in place since Linux 5.12. It eliminates an earlier " "security bug whereby a UID 0 process that lacks the B " "capability, which is needed to create a binary with namespaced file " "capabilities (as described in B(7)), could nevertheless create " "such a binary, by the following steps:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Create a new user namespace with the identity mapping (i.e., UID 0 in the " "new user namespace maps to UID 0 in the parent namespace), so that UID 0 in " "both namespaces is equivalent to the same root user ID." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Since the child process has the B capability, it could create a " "binary with namespaced file capabilities that would then be effective in the " "parent user namespace (because the root user IDs are the same in the two " "namespaces)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "One of the following two cases applies:" msgstr "Применимо к одному из двух случаев:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I the writing process has the B (B) " "capability in the I user namespace." msgstr "" "I<Или> записывающий процесс имеет мандат B (B) в " "I<родительском> пользовательском пространстве имён." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "No further restrictions apply: the process can make mappings to arbitrary " "user IDs (group IDs) in the parent user namespace." msgstr "" "В дальнейшем ограничения не применяются: процесс может создавать отображения " "в произвольные пользовательские ID (групповые ID) в родительском " "пользовательском пространстве имён." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I otherwise all of the following restrictions apply:" msgstr "I<Или> в противном случае накладываются следующие (все) ограничения:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The data written to I (I) must consist of a single line " "that maps the writing process's effective user ID (group ID) in the parent " "user namespace to a user ID (group ID) in the user namespace." msgstr "" "Данные, записываемые в I (I), должны состоять из одной " "строки, которая отображает эффективный пользовательский ID (групповой ID) " "записывающего процесса в родительском пользовательском пространстве имён в " "пользовательский ID (групповой ID) в пользовательском пространстве имён." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The writing process must have the same effective user ID as the process that " "created the user namespace." msgstr "" "Записывающий процесс должен иметь мандат тот же эффективный пользовательский " "ID что и процесс, который создал пользовательское пространство имён." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "In the case of I, use of the B(2) system call must " #| "first be denied by writing \"I\" to the IpidI " #| "file (see below) before writing to I." msgid "" "In the case of I, use of the B(2) system call must " "first be denied by writing \\[dq]I\\[dq] to the IpidI file (see below) before writing to I." msgstr "" "В случае I, перед записью в I сначала нужно использовать " "системный B(2) для записи \"I\" в файл IpidI (смотрите ниже)." #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Writes that violate the above rules fail with the error B." msgstr "" "Попытки записи, нарушающие перечисленные выше правила, завершаются с ошибкой " "B." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Project ID mappings: projid_map" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Similarly to user and group ID mappings, it is possible to create project ID " "mappings for a user namespace. (Project IDs are used for disk quotas; see " "B(8) and B(2).)" msgstr "" #. commit f76d207a66c3a53defea67e7d36c3eb1b7d6d61d #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Project ID mappings are defined by writing to the IpidI " "file (present since Linux 3.7)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The validity rules for writing to the IpidI file are as " "for writing to the I file; violation of these rules causes " "B(2) to fail with the error B." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The permission rules for writing to the IpidI file are " "as follows:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "The mapped user IDs (group IDs) must in turn have a mapping in the parent " #| "user namespace." msgid "" "The mapped project IDs must in turn have a mapping in the parent user " "namespace." msgstr "" "Отображаемые пользовательские ID (групповые ID) должны иметь соответствующее " "отображение в родительском пользовательском пространстве имён." #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "Writes that violate the above rules fail with the error B." msgid "" "Violation of these rules causes B(2) to fail with the error B." msgstr "" "Попытки записи, нарушающие перечисленные выше правила, завершаются с ошибкой " "B." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Interaction with system calls that change process UIDs or GIDs" msgstr "Взаимодействие с системными вызовами, которые изменяют UID или GID процесса." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "In a user namespace where the I file has not been written, the " "system calls that change user IDs will fail. Similarly, if the I " "file has not been written, the system calls that change group IDs will " "fail. After the I and I files have been written, only the " "mapped values may be used in system calls that change user and group IDs." msgstr "" "В пользовательском пространстве имён, в котором не выполнялась запись в файл " "I, системные вызовы, изменяющие ID пользователя, будут завершаться " "с ошибкой. Подобными образом, если не выполнялась запись в файл I, " "то системные вызовы, изменяющие ID группы, будут завершаться с ошибкой. " "После записи в файл I и I только отображённые значения " "могут использоваться в системных вызовах, изменяющих ID пользователя или " "группы." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "For user IDs, the relevant system calls include B(2), " "B(2), B(2), and B(2). For group IDs, the " "relevant system calls include B(2), B(2), B(2), " "B(2), and B(2)." msgstr "" "Для ID пользователя, это относится к следующим системным вызовам: " "B(2), B(2), B(2) и B(2). Для ID " "группы, это относится к следующим системным вызовам: B(2), " "B(2), B(2), B(2) и B(2)." #. Things changed in Linux 3.19 #. commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8 #. commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272 #. http://lwn.net/Articles/626665/ #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "Writing \"I\" to the I file before writing " #| "to I will permanently disable B(2) in a " #| "user namespace and allow writing to I without having " #| "the B capability in the parent user namespace." msgid "" "Writing \\[dq]I\\[dq] to the IpidI file before " "writing to IpidI will permanently disable B(2) " "in a user namespace and allow writing to IpidI without " "having the B capability in the parent user namespace." msgstr "" "Запись \"I\" в файле I перед записью в I насовсем отключает B(2) в пользовательском " "пространстве имён, а также разрешает запись в I без " "мандата B в родительском пользовательском пространстве имён." #. type: SS #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy, no-wrap #| msgid "The /proc/[pid]/setgroups file" msgid "The IpidI file" msgstr "Файл /proc/[pid]/setgroups" #. commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8 #. commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272 #. http://lwn.net/Articles/626665/ #. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8989 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "The IpidI file displays the string \"I\" if " #| "processes in the user namespace that contains the process I are " #| "permitted to employ the B(2) system call; it displays " #| "\"I\" if B(2) is not permitted in that user namespace. " #| "Note that regardless of the value in the IpidI file " #| "(and regardless of the process's capabilities), calls to B(2) " #| "are also not permitted if IpidI has not yet been set." msgid "" "The IpidI file displays the string \\[dq]I\\[dq] " "if processes in the user namespace that contains the process I are " "permitted to employ the B(2) system call; it displays " "\\[dq]I\\[dq] if B(2) is not permitted in that user " "namespace. Note that regardless of the value in the IpidI file (and regardless of the process's capabilities), calls to " "B(2) are also not permitted if IpidI has not " "yet been set." msgstr "" "Файл IpidI содержит строку \"I\", если процессам " "в пользовательском пространстве имён, которые содержат процесс с I, " "разрешено выполнять системный вызов B(2); в файл содержится " "строка \"I\", если B(2) запрещён в этом пользовательском " "пространстве имён. Заметим, что независимо от значения в файле IpidI (и независимо от мандатов процесса) вызовы B(2) " "также запрещены, если IpidI до этого не был настроен." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "A privileged process (one with the B capability in the " #| "namespace) may write either of the strings \"I\" or \"I\" to " #| "this file I writing a group ID mapping for this user namespace to " #| "the file IpidI. Writing the string \"I\" " #| "prevents any process in the user namespace from employing B(2)." msgid "" "A privileged process (one with the B capability in the " "namespace) may write either of the strings \\[dq]I\\[dq] or " "\\[dq]I\\[dq] to this file I writing a group ID mapping for " "this user namespace to the file IpidI. Writing the string " "\\[dq]I\\[dq] prevents any process in the user namespace from " "employing B(2)." msgstr "" "Привилегированный процесс (с мандатом B в пространстве имён) " "может записать строку \"I\" или \"I\" в этот файл I<до> записи " "отображения ID групп для этого пользовательского пространства имён в файл IpidI. Запись строки \"I\" запрещает любому процессу в " "пользовательском пространстве имён выполнять B(2)." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The essence of the restrictions described in the preceding paragraph is that " "it is permitted to write to IpidI only so long as " "calling B(2) is disallowed because IpidI has " "not been set. This ensures that a process cannot transition from a state " "where B(2) is allowed to a state where B(2) is " "denied; a process can transition only from B(2) being disallowed " "to B(2) being allowed." msgstr "" "Сущность ограничений, описанных в предыдущем абзаце в том, чтобы разрешить " "запись в IpidI только когда запрещено вызывать " "B(2), так как IpidI не настроен. Это " "гарантирует, что процесс не сможет перейти из состояния, в котором " "B(2) разрешён, в состояние, в котором B(2) запрещён; " "процесс может переходить только из состояния, когда B(2) " "запрещён, в состояние, когда B(2) разрешён." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "The default value of this file in the initial user namespace is " #| "\"I\"." msgid "" "The default value of this file in the initial user namespace is " "\\[dq]I\\[dq]." msgstr "" "Значение по умолчанию в этом файле для начального состояния " "пользовательского пространства имён равно \"I\"." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "Once IpidI has been written to (which has the effect of " #| "enabling B(2) in the user namespace), it is no longer " #| "possible to disallow B(2) by writing \"I\" to IpidI (the write fails with the error B)." msgid "" "Once IpidI has been written to (which has the effect of " "enabling B(2) in the user namespace), it is no longer possible " "to disallow B(2) by writing \\[dq]I\\[dq] to IpidI (the write fails with the error B)." msgstr "" "После записи в IpidI (что действует как разрешение работы " "B(2) в пользовательском пространстве имён), больше невозможно " "запретить B(2) записью \"I\" в IpidI " "(запись завершается ошибкой B)." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A child user namespace inherits the IpidI setting from " "its parent." msgstr "" "Дочернее пользовательское пространство имён наследует значение IpidI своего родителя." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "If the I file has the value \"I\", then the " #| "B(2) system call can't subsequently be reenabled (by writing " #| "\"I\" to the file) in this user namespace. (Attempts to do so " #| "fail with the error B.) This restriction also propagates down to " #| "all child user namespaces of this user namespace." msgid "" "If the I file has the value \\[dq]I\\[dq], then the " "B(2) system call can't subsequently be reenabled (by writing " "\\[dq]I\\[dq] to the file) in this user namespace. (Attempts to do " "so fail with the error B.) This restriction also propagates down to " "all child user namespaces of this user namespace." msgstr "" "Если файл I содержит значение \"I\", то системный вызов " "B(2) не может быть повторно включён в дальнейшем (записью " "\"I\" в файл) в этом пользовательском пространстве имён (попытка это " "сделать завершается ошибкой B). Это ограничение также " "распространяется на всех потомков пользовательского пространства имён этого " "пользовательского пространства имён." #. /proc/PID/setgroups #. [allow == setgroups() is allowed, "deny" == setgroups() is disallowed] #. * Can write if have CAP_SYS_ADMIN in NS #. * Must write BEFORE writing to /proc/PID/gid_map #. setgroups() #. * Must already have written to gid_map #. * /proc/PID/setgroups must be "allow" #. /proc/PID/gid_map -- writing #. * Must already have written "deny" to /proc/PID/setgroups #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "The I file was added in Linux 3.19, but was " #| "backported to many earlier stable kernel series, because it addresses a " #| "security issue. The issue concerned files with permissions such as " #| "\"rwx---rwx\". Such files give fewer permissions to \"group\" than they " #| "do to \"other\". This means that dropping groups using B(2) " #| "might allow a process file access that it did not formerly have. Before " #| "the existence of user namespaces this was not a concern, since only a " #| "privileged process (one with the B capability) could call " #| "B(2). However, with the introduction of user namespaces, it " #| "became possible for an unprivileged process to create a new namespace in " #| "which the user had all privileges. This then allowed formerly " #| "unprivileged users to drop groups and thus gain file access that they did " #| "not previously have. The IpidI file was added to " #| "address this security issue, by denying any pathway for an unprivileged " #| "process to drop groups with B(2)." msgid "" "The IpidI file was added in Linux 3.19, but was " "backported to many earlier stable kernel series, because it addresses a " "security issue. The issue concerned files with permissions such as \"rwx---" "rwx\". Such files give fewer permissions to \"group\" than they do to " "\"other\". This means that dropping groups using B(2) might " "allow a process file access that it did not formerly have. Before the " "existence of user namespaces this was not a concern, since only a privileged " "process (one with the B capability) could call B(2). " "However, with the introduction of user namespaces, it became possible for an " "unprivileged process to create a new namespace in which the user had all " "privileges. This then allowed formerly unprivileged users to drop groups " "and thus gain file access that they did not previously have. The IpidI file was added to address this security issue, by denying " "any pathway for an unprivileged process to drop groups with B(2)." msgstr "" "Файл I был добавлен в Linux 3.19, но перенесён и в " "старшие серии ядра, так как служит для обеспечения безопасности. В " "частности, это влияет на файлы с правами доступа «rwx---rwx». Эти файлы " "меньшие права «группе» по сравнению с группой «остальные». Это означает, что " "удаление группы с помощью B(2) может открыть доступ к файлу, тем " "которые не имели его. До существования пользовательских пространств имён это " "не было проблемой, так как только привилегированный процесс (с мандатом " "B) мог вызывать B(2). Однако с введение " "пользовательских пространств имён стало возможным и непривилегированному " "процессу создавать новое пространство имён, в котором пользователь имеет все " "права. После этого ранее непривилегированный пользователь может удалить " "группы и таким образом получить доступ к файлу, которого раньше не имел. " "Файл IpidI был добавлен для решения этой проблемы " "безопасности; он запрещает непривилегированному процессу удалять группы с " "помощью B(2)." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Unmapped user and group IDs" msgstr "Неотображённые пользовательские и групповые ID" #. from_kuid_munged(), from_kgid_munged() #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "There are various places where an unmapped user ID (group ID) may be " "exposed to user space. For example, the first process in a new user " "namespace may call B(2) before a user ID mapping has been defined " "for the namespace. In most such cases, an unmapped user ID is converted to " "the overflow user ID (group ID); the default value for the overflow user ID " "(group ID) is 65534. See the descriptions of I and I in B(5)." msgstr "" "Есть несколько мест, где в пользовательском пространстве могут появиться " "неотображённые пользовательские ID (групповые ID). Например, первый процесс " "в новом пользовательском пространстве имён может вызвать B(2) до " "определения отображения пользовательских ID для пространства имён. В " "большинстве случаев, неотображённый пользовательский ID преобразуется в " "пользовательский ID (групповой ID) переполнения (overflow); значение по " "умолчанию для пользовательского ID (группового ID) переполнения равно 65534. " "Смотрите описание I и I в B(5)." #. also SO_PEERCRED #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The cases where unmapped IDs are mapped in this fashion include system calls " "that return user IDs (B(2), B(2), and similar), credentials " "passed over a UNIX domain socket, credentials returned by B(2), " "B(2), and the System V IPC \"ctl\" B operations, " "credentials exposed by IpidI and the files in I, credentials returned via the I field in the I " "received with a signal (see B(2)), credentials written to the " "process accounting file (see B(5)), and credentials returned with " "POSIX message queue notifications (see B(3))." msgstr "" "Случаи, где неотображённые ID отображаются в таком виде, относятся к " "системным вызовам, которые возвращают пользовательские ID (B(2), " "B(2) и подобные), мандаты, передаваемые через доменный сокет UNIX, " "мандаты, возвращаемые B(2), B(2) и System V IPC «ctl»-" "операциями B, мандаты, показываемые в IpidI и " "файлах в I, мандаты, возвращаемые в поле I " "структуры I, полученной по сигналу (смотрите B(2)), " "мандаты, записываемые в файл учёта процесса (смотрите B(5)), и " "мандаты, возвращаемые с уведомлениями очереди сообщений POSIX (смотрите " "B(3))." #. from_kuid(), from_kgid() #. Also F_GETOWNER_UIDS is an exception #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "There is one notable case where unmapped user and group IDs are I " "converted to the corresponding overflow ID value. When viewing a I " "or I file in which there is no mapping for the second field, that " "field is displayed as 4294967295 (-1 as an unsigned integer)." msgstr "" "Есть один известный случай, где неотображённый пользовательский и групповой " "ID I<не> преобразуется в соответствующее значение ID переполнения. Если при " "просмотре файла I или I обнаруживается, что для второго " "поля нет отображения, то поле отображается как 4294967295 (-1 для " "беззнакового целого)." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Accessing files" msgstr "Доступ к файлам" #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "In order to determine permissions when an unprivileged process accesses a " #| "file, the process credentials (UID, GID) and the file credentials are in " #| "effect mapped back to what they would be in the initial user namespace " #| "and then compared to determine the permissions that the process has on " #| "the file. The same is also of other objects that employ the credentials " #| "plus permissions mask accessibility model, such as System V IPC objects" msgid "" "In order to determine permissions when an unprivileged process accesses a " "file, the process credentials (UID, GID) and the file credentials are in " "effect mapped back to what they would be in the initial user namespace and " "then compared to determine the permissions that the process has on the " "file. The same is also true of other objects that employ the credentials " "plus permissions mask accessibility model, such as System V IPC objects." msgstr "" "Чтобы определить права, с которыми непривилегированный процесс обращается к " "файлу, берутся идентификаторы процесса (UID, GID) и идентификаторы файла, " "отображаемые в те, которые были бы в исходном пространстве имён " "пользователя, и затем сравниваются для определения прав, которые процесс " "имеет на файл. Это также выполняется и для других объектов, использующих " "идентификаторы плюс модель маски прав доступа, например для объектов System " "V IPC." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Operation of file-related capabilities" msgstr "Операции с файловыми мандатами" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Certain capabilities allow a process to bypass various kernel-enforced " "restrictions when performing operations on files owned by other users or " "groups. These capabilities are: B, B, " "B, B, and B." msgstr "" "Некоторые мандаты позволяют процессу обходить различные ограничения, " "налагаемые ядром на выполнение операций над файлами, принадлежащими другим " "пользователям или группам. Список мандатов: B, " "B, B, B и B." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Within a user namespace, these capabilities allow a process to bypass the " "rules if the process has the relevant capability over the file, meaning that:" msgstr "" "Внутри пользовательского пространства имён эти мандаты позволяют процессу " "обходить правила, если процесс имеет соответствующий мандат на файле, " "подразумевающий что:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "the process has the relevant effective capability in its user namespace; and" msgstr "" "процесс имеет соответствующий эффективный мандат в своём пространстве имён " "пользователя; и" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "the file's user ID and group ID both have valid mappings in the user " "namespace." msgstr "" "файловые ID пользователя и группы корректно отображаются в " "пользовательскомпространстве имён." #. These are the checks performed by the kernel function #. inode_owner_or_capable(). There is one exception to the exception: #. overriding the directory sticky permission bit requires that #. the file has a valid mapping for both its UID and GID. #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The B capability is treated somewhat exceptionally: it allows a " "process to bypass the corresponding rules so long as at least the file's " "user ID has a mapping in the user namespace (i.e., the file's group ID does " "not need to have a valid mapping)." msgstr "" "Мандат B учитывается по-другому: it allows a process to bypass " "the corresponding rules so long as at least the file's user ID has a mapping " "in the user namespace (т. е., файловый ID группы может не иметь корректного " "отображения)." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Set-user-ID and set-group-ID programs" msgstr "Программы с установленными битами set-user-ID и set-group-ID" #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a process inside a user namespace executes a set-user-ID (set-group-ID) " "program, the process's effective user (group) ID inside the namespace is " "changed to whatever value is mapped for the user (group) ID of the file. " "However, if either the user I the group ID of the file has no mapping " "inside the namespace, the set-user-ID (set-group-ID) bit is silently " "ignored: the new program is executed, but the process's effective user " "(group) ID is left unchanged. (This mirrors the semantics of executing a " "set-user-ID or set-group-ID program that resides on a filesystem that was " "mounted with the B flag, as described in B(2).)" msgstr "" "Когда процесс внутри пользовательского пространства имён выполняет программу " "с установленным битом set-user-ID (set-group-ID), то эффективный ID " "пользователя (группы) внутри пространства имён изменяется на значение, " "отображённое для ID пользователя (группы) файла. Однако, если ID " "пользователя I<или> группы файла не имеет отображения внутри пространства " "имён, то бит set-user-ID (set-group-ID) просто игнорируется: выполняется " "новая программа, но эффективный ID пользователя (группы) остаётся не " "изменённым (такое поведение зеркально семантике выполнения программы с set-" "user-ID или set-group-ID, располагающейся в файловой системе, которая была " "смонтирована с флагом B, как описано в B(2))." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Miscellaneous" msgstr "Разное" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a process's user and group IDs are passed over a UNIX domain socket to " "a process in a different user namespace (see the description of " "B in B(7)), they are translated into the " "corresponding values as per the receiving process's user and group ID " "mappings." msgstr "" "Когда ID пользователя и группы процесса передаются через доменный сокет UNIX " "в процесс в другом пользовательском пространстве имён (смотрите описание " "B в B(7)), то они транслируются в соответствующие " "значения согласно отображению ID пользователя и группы принимающего процесса." #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "STANDARDS" msgstr "СТАНДАРТЫ" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "Linux." msgstr "Linux." #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "NOTES" msgstr "ЗАМЕЧАНИЯ" #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Over the years, there have been a lot of features that have been added to " "the Linux kernel that have been made available only to privileged users " "because of their potential to confuse set-user-ID-root applications. In " "general, it becomes safe to allow the root user in a user namespace to use " "those features because it is impossible, while in a user namespace, to gain " "more privilege than the root user of a user namespace has." msgstr "" "За эти годы в ядро Linux добавлено много свойств, которые были доступны " "только привилегированным пользователям, так как их возможности слишком " "велики, чтобы наделять ими приложения с set-user-ID. В целом, становится " "безопасно разрешать пользователю root в пользовательском пространстве имён " "использовать эти свойства, так как будучи в пользовательском пространстве " "имён, он не может получить больше прав, чем имеет root в пользовательском " "пространстве имён." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Global root" msgstr "" # #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The term \"global root\" is sometimes used as a shorthand for user ID 0 in " "the initial user namespace." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Availability" msgstr "Доступность" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Use of user namespaces requires a kernel that is configured with the " "B option. User namespaces require support in a range of " "subsystems across the kernel. When an unsupported subsystem is configured " "into the kernel, it is not possible to configure user namespaces support." msgstr "" "Для использования пользовательских пространств имён ядро должно быть собрано " "с параметром B. Пользовательские пространства имён требуют " "поддержки во многих подсистемах ядра. Если в ядре задействована " "неподдерживаемая подсистема, то включить поддержку пользовательских " "пространств имён невозможно." #. commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "As at Linux 3.8, most relevant subsystems supported user namespaces, but a " "number of filesystems did not have the infrastructure needed to map user and " "group IDs between user namespaces. Linux 3.9 added the required " "infrastructure support for many of the remaining unsupported filesystems " "(Plan 9 (9P), Andrew File System (AFS), Ceph, CIFS, CODA, NFS, and OCFS2). " "Linux 3.12 added support for the last of the unsupported major filesystems, " "XFS." msgstr "" "В Linux 3.8 самые важные подсистемы поддерживают пользовательские " "пространства имён, но значительное количество файловых систем не имеют " "инфраструктуры для отображения пользовательских и групповых ID между " "пользовательскими пространствами имён. В Linux 3.9 добавлена требуемая " "поддержка инфраструктуры во многие неподдерживаемые файловые системы (Plan 9 " "(9P), Andrew File System (AFS), Ceph, CIFS, CODA, NFS и OCFS2). В Linux 3.12 " "добавлена поддержка в последние основные файловые системы (XFS)." #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "EXAMPLES" msgstr "ПРИМЕРЫ" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "The program below is designed to allow experimenting with user " #| "namespaces, as well as other types of namespaces. It creates namespaces " #| "as specified by command-line options and then executes a command inside " #| "those namespaces. The comments and I function inside the " #| "program provide a full explanation of the program. The following shell " #| "session demonstrates its use." msgid "" "The program below is designed to allow experimenting with user namespaces, " "as well as other types of namespaces. It creates namespaces as specified by " "command-line options and then executes a command inside those namespaces. " "The comments and I() function inside the program provide a full " "explanation of the program. The following shell session demonstrates its " "use." msgstr "" "Представленная далее программа разработана для экспериментов с " "пользовательскими пространствами имён. Она создаёт пространства имён " "согласно параметрам командной строки и затем выполняет команду внутри этих " "пространств имён. В комментариях и функции I предоставлено полное " "описание программы. Следующий сеанс оболочки показывает её работу." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "First, we look at the run-time environment:" msgstr "Сначала, посмотрим на окружение выполнения:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "$ B # Need Linux 3.8 or later\n" "Linux 3.8.0\n" "$ B # Running as unprivileged user\n" "1000\n" "$ B\n" "1000\n" msgstr "" "$ B # требуется Linux 3.8 или новее\n" "Linux 3.8.0\n" "$ B # работа от непривилегированного пользователя\n" "1000\n" "$ B\n" "1000\n" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Now start a new shell in new user (I<-U>), mount (I<-m>), and PID (I<-p>) " "namespaces, with user ID (I<-M>) and group ID (I<-G>) 1000 mapped to 0 " "inside the user namespace:" msgstr "" "Теперь запустим новую оболочку в новых пользовательском (I<-U>), " "монтирования (I<-m>) и PID (I<-p>) пространствах имён с пользовательским (I<-" "M>) и групповым ID (I<-G>) 1000, отображающимся в 0 внутри " "пользовательского пространства имён:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy, no-wrap #| msgid "$ B<./userns_child_exec -p -m -U -M \\(aq0 1000 1\\(aq -G \\(aq0 1000 1\\(aq bash>\n" msgid "$ B<./userns_child_exec -p -m -U -M \\[aq]0 1000 1\\[aq] -G \\[aq]0 1000 1\\[aq] bash>\n" msgstr "$ B<./userns_child_exec -p -m -U -M \\(aq0 1000 1\\(aq -G \\(aq0 1000 1\\(aq bash>\n" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The shell has PID 1, because it is the first process in the new PID " "namespace:" msgstr "" "У оболочки PID равен 1, так как это первый процесс в новом пространстве имён " "PID:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "bash$ B\n" "1\n" msgstr "" "bash$ B\n" "1\n" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Mounting a new I filesystem and listing all of the processes visible " "in the new PID namespace shows that the shell can't see any processes " "outside the PID namespace:" msgstr "" "Смонтируем новую файловую систему I и просмотрим все процессы, " "видимые в новом пространстве имён PID; убедимся, что оболочка не видит ни " "одного процесса вне своего пространства имён PID:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "bash$ B\n" "bash$ B\n" " PID TTY STAT TIME COMMAND\n" " 1 pts/3 S 0:00 bash\n" " 22 pts/3 R+ 0:00 ps ax\n" msgstr "" "bash$ B\n" "bash$ B\n" " PID TTY STAT TIME COMMAND\n" " 1 pts/3 S 0:00 bash\n" " 22 pts/3 R+ 0:00 ps ax\n" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Inside the user namespace, the shell has user and group ID 0, and a full set " "of permitted and effective capabilities:" msgstr "" "Внутри пользовательского пространства имён идентификаторы пользователя и " "группы оболочки равны 0, и она имеет полный набор разрешённых и эффективных " "мандатов:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy, no-wrap #| msgid "" #| "bash$ B\n" #| "Uid:\t0\t0\t0\t0\n" #| "Gid:\t0\t0\t0\t0\n" #| "bash$ B\n" #| "CapInh:\t0000000000000000\n" #| "CapPrm:\t0000001fffffffff\n" #| "CapEff:\t0000001fffffffff\n" msgid "" "bash$ B\n" "Uid:\t0\t0\t0\t0\n" "Gid:\t0\t0\t0\t0\n" "bash$ B\n" "CapInh:\t0000000000000000\n" "CapPrm:\t0000001fffffffff\n" "CapEff:\t0000001fffffffff\n" msgstr "" "bash$ B\n" "Uid:\t0\t0\t0\t0\n" "Gid:\t0\t0\t0\t0\n" "bash$ B\n" "CapInh:\t0000000000000000\n" "CapPrm:\t0000001fffffffff\n" "CapEff:\t0000001fffffffff\n" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Program source" msgstr "Исходный код программы" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed #, no-wrap msgid "" "/* userns_child_exec.c\n" "\\&\n" " Licensed under GNU General Public License v2 or later\n" "\\&\n" " Create a child process that executes a shell command in new\n" " namespace(s); allow UID and GID mappings to be specified when\n" " creating a user namespace.\n" "*/\n" "#define _GNU_SOURCE\n" "#include Eerr.hE\n" "#include Esched.hE\n" "#include Eunistd.hE\n" "#include Estdint.hE\n" "#include Estdlib.hE\n" "#include Esys/wait.hE\n" "#include Esignal.hE\n" "#include Efcntl.hE\n" "#include Estdio.hE\n" "#include Estring.hE\n" "#include Elimits.hE\n" "#include Eerrno.hE\n" "\\&\n" "struct child_args {\n" " char **argv; /* Command to be executed by child, with args */\n" " int pipe_fd[2]; /* Pipe used to synchronize parent and child */\n" "};\n" "\\&\n" "static int verbose;\n" "\\&\n" "static void\n" "usage(char *pname)\n" "{\n" " fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n" " fprintf(stderr, \"Create a child process that executes a shell \"\n" " \"command in a new user namespace,\\en\"\n" " \"and possibly also other new namespace(s).\\en\\en\");\n" " fprintf(stderr, \"Options can be:\\en\\en\");\n" "#define fpe(str) fprintf(stderr, \" %s\", str);\n" " fpe(\"-i New IPC namespace\\en\");\n" " fpe(\"-m New mount namespace\\en\");\n" " fpe(\"-n New network namespace\\en\");\n" " fpe(\"-p New PID namespace\\en\");\n" " fpe(\"-u New UTS namespace\\en\");\n" " fpe(\"-U New user namespace\\en\");\n" " fpe(\"-M uid_map Specify UID map for user namespace\\en\");\n" " fpe(\"-G gid_map Specify GID map for user namespace\\en\");\n" " fpe(\"-z Map user\\[aq]s UID and GID to 0 in user namespace\\en\");\n" " fpe(\" (equivalent to: -M \\[aq]0 EuidE 1\\[aq] -G \\[aq]0 EgidE 1\\[aq])\\en\");\n" " fpe(\"-v Display verbose messages\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n" " fpe(\"It is not permitted to specify both -z and either -M or -G.\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"Map strings for -M and -G consist of records of the form:\\en\");\n" " fpe(\"\\en\");\n" " fpe(\" ID-inside-ns ID-outside-ns len\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"A map string can contain multiple records, separated\"\n" " \" by commas;\\en\");\n" " fpe(\"the commas are replaced by newlines before writing\"\n" " \" to map files.\\en\");\n" "\\&\n" " exit(EXIT_FAILURE);\n" "}\n" "\\&\n" "/* Update the mapping file \\[aq]map_file\\[aq], with the value provided in\n" " \\[aq]mapping\\[aq], a string that defines a UID or GID mapping. A UID or\n" " GID mapping consists of one or more newline-delimited records\n" " of the form:\n" "\\&\n" " ID_inside-ns ID-outside-ns length\n" "\\&\n" " Requiring the user to supply a string that contains newlines is\n" " of course inconvenient for command-line use. Thus, we permit the\n" " use of commas to delimit records in this string, and replace them\n" " with newlines before writing the string to the file. */\n" "\\&\n" "static void\n" "update_map(char *mapping, char *map_file)\n" "{\n" " int fd;\n" " size_t map_len; /* Length of \\[aq]mapping\\[aq] */\n" "\\&\n" " /* Replace commas in mapping string with newlines. */\n" "\\&\n" " map_len = strlen(mapping);\n" " for (size_t j = 0; j E map_len; j++)\n" " if (mapping[j] == \\[aq],\\[aq])\n" " mapping[j] = \\[aq]\\en\\[aq];\n" "\\&\n" " fd = open(map_file, O_RDWR);\n" " if (fd == -1) {\n" " fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n" " strerror(errno));\n" " exit(EXIT_FAILURE);\n" " }\n" "\\&\n" " if (write(fd, mapping, map_len) != map_len) {\n" " fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n" " strerror(errno));\n" " exit(EXIT_FAILURE);\n" " }\n" "\\&\n" " close(fd);\n" "}\n" "\\&\n" "/* Linux 3.19 made a change in the handling of setgroups(2) and\n" " the \\[aq]gid_map\\[aq] file to address a security issue. The issue\n" " allowed *unprivileged* users to employ user namespaces in\n" " order to drop groups. The upshot of the 3.19 changes is that\n" " in order to update the \\[aq]gid_maps\\[aq] file, use of the setgroups()\n" " system call in this user namespace must first be disabled by\n" " writing \"deny\" to one of the /proc/PID/setgroups files for\n" " this namespace. That is the purpose of the following function. */\n" "\\&\n" "static void\n" "proc_setgroups_write(pid_t child_pid, char *str)\n" "{\n" " char setgroups_path[PATH_MAX];\n" " int fd;\n" "\\&\n" " snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n" " (intmax_t) child_pid);\n" "\\&\n" " fd = open(setgroups_path, O_RDWR);\n" " if (fd == -1) {\n" "\\&\n" " /* We may be on a system that doesn\\[aq]t support\n" " /proc/PID/setgroups. In that case, the file won\\[aq]t exist,\n" " and the system won\\[aq]t impose the restrictions that Linux 3.19\n" " added. That\\[aq]s fine: we don\\[aq]t need to do anything in order\n" " to permit \\[aq]gid_map\\[aq] to be updated.\n" "\\&\n" " However, if the error from open() was something other than\n" " the ENOENT error that is expected for that case, let the\n" " user know. */\n" "\\&\n" " if (errno != ENOENT)\n" " fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n" " strerror(errno));\n" " return;\n" " }\n" "\\&\n" " if (write(fd, str, strlen(str)) == -1)\n" " fprintf(stderr, \"ERROR: write %s: %s\\en\", setgroups_path,\n" " strerror(errno));\n" "\\&\n" " close(fd);\n" "}\n" "\\&\n" "static int /* Start function for cloned child */\n" "childFunc(void *arg)\n" "{\n" " struct child_args *args = arg;\n" " char ch;\n" "\\&\n" " /* Wait until the parent has updated the UID and GID mappings.\n" " See the comment in main(). We wait for end of file on a\n" " pipe that will be closed by the parent process once it has\n" " updated the mappings. */\n" "\\&\n" " close(args-Epipe_fd[1]); /* Close our descriptor for the write\n" " end of the pipe so that we see EOF\n" " when parent closes its descriptor. */\n" " if (read(args-Epipe_fd[0], &ch, 1) != 0) {\n" " fprintf(stderr,\n" " \"Failure in child: read from pipe returned != 0\\en\");\n" " exit(EXIT_FAILURE);\n" " }\n" "\\&\n" " close(args-Epipe_fd[0]);\n" "\\&\n" " /* Execute a shell command. */\n" "\\&\n" " printf(\"About to exec %s\\en\", args-Eargv[0]);\n" " execvp(args-Eargv[0], args-Eargv);\n" " err(EXIT_FAILURE, \"execvp\");\n" "}\n" "\\&\n" "#define STACK_SIZE (1024 * 1024)\n" "\\&\n" "static char child_stack[STACK_SIZE]; /* Space for child\\[aq]s stack */\n" "\\&\n" "int\n" "main(int argc, char *argv[])\n" "{\n" " int flags, opt, map_zero;\n" " pid_t child_pid;\n" " struct child_args args;\n" " char *uid_map, *gid_map;\n" " const int MAP_BUF_SIZE = 100;\n" " char map_buf[MAP_BUF_SIZE];\n" " char map_path[PATH_MAX];\n" "\\&\n" " /* Parse command-line options. The initial \\[aq]+\\[aq] character in\n" " the final getopt() argument prevents GNU-style permutation\n" " of command-line options. That\\[aq]s useful, since sometimes\n" " the \\[aq]command\\[aq] to be executed by this program itself\n" " has command-line options. We don\\[aq]t want getopt() to treat\n" " those as options to this program. */\n" "\\&\n" " flags = 0;\n" " verbose = 0;\n" " gid_map = NULL;\n" " uid_map = NULL;\n" " map_zero = 0;\n" " while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n" " switch (opt) {\n" " case \\[aq]i\\[aq]: flags |= CLONE_NEWIPC; break;\n" " case \\[aq]m\\[aq]: flags |= CLONE_NEWNS; break;\n" " case \\[aq]n\\[aq]: flags |= CLONE_NEWNET; break;\n" " case \\[aq]p\\[aq]: flags |= CLONE_NEWPID; break;\n" " case \\[aq]u\\[aq]: flags |= CLONE_NEWUTS; break;\n" " case \\[aq]v\\[aq]: verbose = 1; break;\n" " case \\[aq]z\\[aq]: map_zero = 1; break;\n" " case \\[aq]M\\[aq]: uid_map = optarg; break;\n" " case \\[aq]G\\[aq]: gid_map = optarg; break;\n" " case \\[aq]U\\[aq]: flags |= CLONE_NEWUSER; break;\n" " default: usage(argv[0]);\n" " }\n" " }\n" "\\&\n" " /* -M or -G without -U is nonsensical */\n" "\\&\n" " if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n" " !(flags & CLONE_NEWUSER)) ||\n" " (map_zero && (uid_map != NULL || gid_map != NULL)))\n" " usage(argv[0]);\n" "\\&\n" " args.argv = &argv[optind];\n" "\\&\n" " /* We use a pipe to synchronize the parent and child, in order to\n" " ensure that the parent sets the UID and GID maps before the child\n" " calls execve(). This ensures that the child maintains its\n" " capabilities during the execve() in the common case where we\n" " want to map the child\\[aq]s effective user ID to 0 in the new user\n" " namespace. Without this synchronization, the child would lose\n" " its capabilities if it performed an execve() with nonzero\n" " user IDs (see the capabilities(7) man page for details of the\n" " transformation of a process\\[aq]s capabilities during execve()). */\n" "\\&\n" " if (pipe(args.pipe_fd) == -1)\n" " err(EXIT_FAILURE, \"pipe\");\n" "\\&\n" " /* Create the child in new namespace(s). */\n" "\\&\n" " child_pid = clone(childFunc, child_stack + STACK_SIZE,\n" " flags | SIGCHLD, &args);\n" " if (child_pid == -1)\n" " err(EXIT_FAILURE, \"clone\");\n" "\\&\n" " /* Parent falls through to here. */\n" "\\&\n" " if (verbose)\n" " printf(\"%s: PID of child created by clone() is %jd\\en\",\n" " argv[0], (intmax_t) child_pid);\n" "\\&\n" " /* Update the UID and GID maps in the child. */\n" "\\&\n" " if (uid_map != NULL || map_zero) {\n" " snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n" " (intmax_t) child_pid);\n" " if (map_zero) {\n" " snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n" " (intmax_t) getuid());\n" " uid_map = map_buf;\n" " }\n" " update_map(uid_map, map_path);\n" " }\n" "\\&\n" " if (gid_map != NULL || map_zero) {\n" " proc_setgroups_write(child_pid, \"deny\");\n" "\\&\n" " snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n" " (intmax_t) child_pid);\n" " if (map_zero) {\n" " snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n" " (intmax_t) getgid());\n" " gid_map = map_buf;\n" " }\n" " update_map(gid_map, map_path);\n" " }\n" "\\&\n" " /* Close the write end of the pipe, to signal to the child that we\n" " have updated the UID and GID maps. */\n" "\\&\n" " close(args.pipe_fd[1]);\n" "\\&\n" " if (waitpid(child_pid, NULL, 0) == -1) /* Wait for child */\n" " err(EXIT_FAILURE, \"waitpid\");\n" "\\&\n" " if (verbose)\n" " printf(\"%s: terminating\\en\", argv[0]);\n" "\\&\n" " exit(EXIT_SUCCESS);\n" "}\n" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "SEE ALSO" msgstr "СМ. ТАКЖЕ" #. From the shadow package #. From the shadow package #. From the shadow package #. From the shadow package #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "B(1), B(1), B(2), B(2), B(2), " "B(2), B(5), B(5), B(5), B(7), " "B(7), B(7), B(7), " "B(7)" msgstr "" "B(1), B(1), B(2), B(2), B(2), " "B(2), B(5), B(5), B(5), B(7), " "B(7), B(7), B(7), " "B(7)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The kernel source file I." msgstr "" "Файл из дерева исходного кода ядра I." #. type: TH #: debian-bookworm #, no-wrap msgid "2023-02-05" msgstr "5 февраля 2023 г." #. type: TH #: debian-bookworm #, no-wrap msgid "Linux man-pages 6.03" msgstr "Linux man-pages 6.03" #. type: SS #: debian-bookworm #, fuzzy, no-wrap #| msgid "The /proc/ pid /setgroups file" msgid "The /proc/I/setgroups file" msgstr "Файл /proc/ pid /setgroups" #. type: Plain text #: debian-bookworm msgid "Namespaces are a Linux-specific feature." msgstr "Пространства имён есть только в Linux." #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "/* userns_child_exec.c\n" msgstr "/* userns_child_exec.c\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " Licensed under GNU General Public License v2 or later\n" msgstr "" " Лицензируется на условиях Универсальной общественной лицензии\n" " GNU версии 2 и новее\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " Create a child process that executes a shell command in new\n" " namespace(s); allow UID and GID mappings to be specified when\n" " creating a user namespace.\n" "*/\n" "#define _GNU_SOURCE\n" "#include Eerr.hE\n" "#include Esched.hE\n" "#include Eunistd.hE\n" "#include Estdint.hE\n" "#include Estdlib.hE\n" "#include Esys/wait.hE\n" "#include Esignal.hE\n" "#include Efcntl.hE\n" "#include Estdio.hE\n" "#include Estring.hE\n" "#include Elimits.hE\n" "#include Eerrno.hE\n" msgstr "" " Создаёт дочерний процесс, который запускает командную оболочку\n" " в новых пространствах имён; может выполнять отображение UID и GID,\n" " если они указаны при создании пользовательского пространства имён.\n" "*/\n" "#define _GNU_SOURCE\n" "#include Eerr.hE\n" "#include Esched.hE\n" "#include Eunistd.hE\n" "#include Estdint.hE\n" "#include Estdlib.hE\n" "#include Esys/wait.hE\n" "#include Esignal.hE\n" "#include Efcntl.hE\n" "#include Estdio.hE\n" "#include Estring.hE\n" "#include Elimits.hE\n" "#include Eerrno.hE\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "struct child_args {\n" " char **argv; /* Command to be executed by child, with args */\n" " int pipe_fd[2]; /* Pipe used to synchronize parent and child */\n" "};\n" msgstr "" "struct child_args {\n" " char **argv; /* команда, выполняемая потомком с параметрами */\n" " int pipe_fd[2]; /* канал для синхронизации родителя и потомка */\n" "};\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "static int verbose;\n" msgstr "static int verbose;\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, fuzzy, no-wrap #| msgid "" #| "static void\n" #| "usage(char *pname)\n" #| "{\n" #| " fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n" #| " fprintf(stderr, \"Create a child process that executes a shell \"\n" #| " \"command in a new user namespace,\\en\"\n" #| " \"and possibly also other new namespace(s).\\en\\en\");\n" #| " fprintf(stderr, \"Options can be:\\en\\en\");\n" #| "#define fpe(str) fprintf(stderr, \" %s\", str);\n" #| " fpe(\"-i New IPC namespace\\en\");\n" #| " fpe(\"-m New mount namespace\\en\");\n" #| " fpe(\"-n New network namespace\\en\");\n" #| " fpe(\"-p New PID namespace\\en\");\n" #| " fpe(\"-u New UTS namespace\\en\");\n" #| " fpe(\"-U New user namespace\\en\");\n" #| " fpe(\"-M uid_map Specify UID map for user namespace\\en\");\n" #| " fpe(\"-G gid_map Specify GID map for user namespace\\en\");\n" #| " fpe(\"-z Map user\\(aqs UID and GID to 0 in user namespace\\en\");\n" #| " fpe(\" (equivalent to: -M \\(aq0 EuidE 1\\(aq -G \\(aq0 EgidE 1\\(aq)\\en\");\n" #| " fpe(\"-v Display verbose messages\\en\");\n" #| " fpe(\"\\en\");\n" #| " fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n" #| " fpe(\"It is not permitted to specify both -z and either -M or -G.\\en\");\n" #| " fpe(\"\\en\");\n" #| " fpe(\"Map strings for -M and -G consist of records of the form:\\en\");\n" #| " fpe(\"\\en\");\n" #| " fpe(\" ID-inside-ns ID-outside-ns len\\en\");\n" #| " fpe(\"\\en\");\n" #| " fpe(\"A map string can contain multiple records, separated\"\n" #| " \" by commas;\\en\");\n" #| " fpe(\"the commas are replaced by newlines before writing\"\n" #| " \" to map files.\\en\");\n" msgid "" "static void\n" "usage(char *pname)\n" "{\n" " fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n" " fprintf(stderr, \"Create a child process that executes a shell \"\n" " \"command in a new user namespace,\\en\"\n" " \"and possibly also other new namespace(s).\\en\\en\");\n" " fprintf(stderr, \"Options can be:\\en\\en\");\n" "#define fpe(str) fprintf(stderr, \" %s\", str);\n" " fpe(\"-i New IPC namespace\\en\");\n" " fpe(\"-m New mount namespace\\en\");\n" " fpe(\"-n New network namespace\\en\");\n" " fpe(\"-p New PID namespace\\en\");\n" " fpe(\"-u New UTS namespace\\en\");\n" " fpe(\"-U New user namespace\\en\");\n" " fpe(\"-M uid_map Specify UID map for user namespace\\en\");\n" " fpe(\"-G gid_map Specify GID map for user namespace\\en\");\n" " fpe(\"-z Map user\\[aq]s UID and GID to 0 in user namespace\\en\");\n" " fpe(\" (equivalent to: -M \\[aq]0 EuidE 1\\[aq] -G \\[aq]0 EgidE 1\\[aq])\\en\");\n" " fpe(\"-v Display verbose messages\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n" " fpe(\"It is not permitted to specify both -z and either -M or -G.\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"Map strings for -M and -G consist of records of the form:\\en\");\n" " fpe(\"\\en\");\n" " fpe(\" ID-inside-ns ID-outside-ns len\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"A map string can contain multiple records, separated\"\n" " \" by commas;\\en\");\n" " fpe(\"the commas are replaced by newlines before writing\"\n" " \" to map files.\\en\");\n" msgstr "" "static void\n" "usage(char *pname)\n" "{\n" " fprintf(stderr, \"Использование: %s [параметры] кмд [арг…]\\en\\en\", pname);\n" " fprintf(stderr, \"Создаёт дочерний процесс, который запускает командную \"\n" " \"оболочку в новом пользовательском пространстве имён,\\en\"\n" " \"и, возможно, также в других новых пространствах имён.\\en\\en\");\n" " fprintf(stderr, \"Параметры:\\en\\en\");\n" "#define fpe(str) fprintf(stderr, \" %s\", str);\n" " fpe(\"-i Новое пространство имён IPC\\en\");\n" " fpe(\"-m Новое пространство имён монтирования\\en\");\n" " fpe(\"-n Новое сетевое пространство имён\\en\");\n" " fpe(\"-p Новое пространство имён PID\\en\");\n" " fpe(\"-u Новое пространство имён UTS\\en\");\n" " fpe(\"-U Новое пользовательское пространство имён\\en\");\n" " fpe(\"-M uid_map карта UID для пользовательского пространства имён\\en\");\n" " fpe(\"-G gid_map карта GID для пользовательского пространства имён\\en\");\n" " fpe(\"-z Отображать пользовательский UID и GID в 0 в пользовательском пространстве имён\\en\");\n" " fpe(\" (эквивалентно: -M \\(aq0 EuidE 1\\(aq -G \\(aq0 EgidE 1\\(aq)\\en\");\n" " fpe(\"-v показывать дополнительные сообщения\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"Если указан -z, -M или -G, то требуется -U.\\en\");\n" " fpe(\"Нельзя указывать -z вместе с -M или -G.\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"Строка карты для -M и -G состоит из записей вида:\\en\");\n" " fpe(\"\\en\");\n" " fpe(\" ID-внутри-ns ID-вне-ns длина\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"Строка карты может содержать несколько записей через запятую;\\en\");\n" " fpe(\"запятые замещаются на символы новой строки перед записью\"\n" " \" в файлы карт.\\en\");\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " exit(EXIT_FAILURE);\n" "}\n" msgstr "" " exit(EXIT_FAILURE);\n" "}\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, fuzzy, no-wrap #| msgid "" #| "/* Update the mapping file \\(aqmap_file\\(aq, with the value provided in\n" #| " \\(aqmapping\\(aq, a string that defines a UID or GID mapping. A UID or\n" #| " GID mapping consists of one or more newline-delimited records\n" #| " of the form:\n" msgid "" "/* Update the mapping file \\[aq]map_file\\[aq], with the value provided in\n" " \\[aq]mapping\\[aq], a string that defines a UID or GID mapping. A UID or\n" " GID mapping consists of one or more newline-delimited records\n" " of the form:\n" msgstr "" "/* Обновляем файл отображения «map_file» значением из\n" " «mapping» — строкой, в которой определены отображения UID или GID.\n" " Отображения UID или GID состоят из одной или более записей\n" " (разделённых символом новой строки) вида:\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " ID_inside-ns ID-outside-ns length\n" msgstr " ID-внутри-ns ID-снаружи-ns длина\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " Requiring the user to supply a string that contains newlines is\n" " of course inconvenient for command-line use. Thus, we permit the\n" " use of commas to delimit records in this string, and replace them\n" " with newlines before writing the string to the file. */\n" msgstr "" " Требовать от пользователя указывать строку с символами новой строки\n" " в командной строке неприемлемо. Поэтому мы позволим использовать\n" " для разделения записей запятые и заменим их символами новой строки\n" " перед записью строки в файл. */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, fuzzy, no-wrap #| msgid "" #| "static void\n" #| "update_map(char *mapping, char *map_file)\n" #| "{\n" #| " int fd;\n" #| " size_t map_len; /* Length of \\(aqmapping\\(aq */\n" msgid "" "static void\n" "update_map(char *mapping, char *map_file)\n" "{\n" " int fd;\n" " size_t map_len; /* Length of \\[aq]mapping\\[aq] */\n" msgstr "" "static void\n" "update_map(char *mapping, char *map_file)\n" "{\n" " int fd;\n" " size_t map_len; /* длина «mapping» */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " /* Replace commas in mapping string with newlines. */\n" msgstr " /* Заменяем запятые на символы новой строки в строке отображения. */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, fuzzy, no-wrap #| msgid "" #| " map_len = strlen(mapping);\n" #| " for (size_t j = 0; j E map_len; j++)\n" #| " if (mapping[j] == \\(aq,\\(aq)\n" #| " mapping[j] = \\(aq\\en\\(aq;\n" msgid "" " map_len = strlen(mapping);\n" " for (size_t j = 0; j E map_len; j++)\n" " if (mapping[j] == \\[aq],\\[aq])\n" " mapping[j] = \\[aq]\\en\\[aq];\n" msgstr "" " map_len = strlen(mapping);\n" " for (size_t j = 0; j E map_len; j++)\n" " if (mapping[j] == \\(aq,\\(aq)\n" " mapping[j] = \\(aq\\en\\(aq;\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " fd = open(map_file, O_RDWR);\n" " if (fd == -1) {\n" " fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n" " strerror(errno));\n" " exit(EXIT_FAILURE);\n" " }\n" msgstr "" " fd = open(map_file, O_RDWR);\n" " if (fd == -1) {\n" " fprintf(stderr, \"ОШИБКА: open %s: %s\\en\", map_file,\n" " strerror(errno));\n" " exit(EXIT_FAILURE);\n" " }\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (write(fd, mapping, map_len) != map_len) {\n" " fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n" " strerror(errno));\n" " exit(EXIT_FAILURE);\n" " }\n" msgstr "" " if (write(fd, mapping, map_len) != map_len) {\n" " fprintf(stderr, \"ОШИБКА: write %s: %s\\en\", map_file,\n" " strerror(errno));\n" " exit(EXIT_FAILURE);\n" " }\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " close(fd);\n" "}\n" msgstr "" " close(fd);\n" "}\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, fuzzy, no-wrap #| msgid "" #| "/* Linux 3.19 made a change in the handling of setgroups(2) and the\n" #| " \\(aqgid_map\\(aq file to address a security issue. The issue allowed\n" #| " *unprivileged* users to employ user namespaces in order to drop\n" #| " The upshot of the 3.19 changes is that in order to update the\n" #| " \\(aqgid_maps\\(aq file, use of the setgroups() system call in this\n" #| " user namespace must first be disabled by writing \"deny\" to one of\n" #| " the /proc/PID/setgroups files for this namespace. That is the\n" #| " purpose of the following function. */\n" msgid "" "/* Linux 3.19 made a change in the handling of setgroups(2) and the\n" " \\[aq]gid_map\\[aq] file to address a security issue. The issue allowed\n" " *unprivileged* users to employ user namespaces in order to drop groups.\n" " The upshot of the 3.19 changes is that in order to update the\n" " \\[aq]gid_maps\\[aq] file, use of the setgroups() system call in this\n" " user namespace must first be disabled by writing \"deny\" to one of\n" " the /proc/PID/setgroups files for this namespace. That is the\n" " purpose of the following function. */\n" msgstr "" "/* В Linux 3.19 изменена работа с setgroups(2) и добавлен файл\n" " \\(aqgid_map\\(aq для обеспечения безопасности. Задача в том,\n" " чтобы запретить удалять группы *непривилегированному* пользователю\n" " через создание пространства имён. Результат изменений 3.19 в том, что\n" " для обновления файла \\(aqgid_maps\\(aq, сначала нужно запретить системный\n" " вызов setgroups() в этом пользовательском пространстве имён, записав\n" " \"deny\" в один из файлов /proc/PID/setgroups в этом пространстве имён.\n" " Это цель данной функции. */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "static void\n" "proc_setgroups_write(pid_t child_pid, char *str)\n" "{\n" " char setgroups_path[PATH_MAX];\n" " int fd;\n" msgstr "" "static void\n" "proc_setgroups_write(pid_t child_pid, char *str)\n" "{\n" " char setgroups_path[PATH_MAX];\n" " int fd;\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n" " (intmax_t) child_pid);\n" msgstr "" " snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n" " (intmax_t) child_pid);\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " fd = open(setgroups_path, O_RDWR);\n" " if (fd == -1) {\n" msgstr "" " fd = open(setgroups_path, O_RDWR);\n" " if (fd == -1) {\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, fuzzy, no-wrap #| msgid "" #| " /* We may be on a system that doesn\\(aqt support\n" #| " /proc/PID/setgroups. In that case, the file won\\(aqt exist,\n" #| " and the system won\\(aqt impose the restrictions that Linux 3.19\n" #| " added. That\\(aqs fine: we don\\(aqt need to do anything in order\n" #| " to permit \\(aqgid_map\\(aq to be updated.\n" msgid "" " /* We may be on a system that doesn\\[aq]t support\n" " /proc/PID/setgroups. In that case, the file won\\[aq]t exist,\n" " and the system won\\[aq]t impose the restrictions that Linux 3.19\n" " added. That\\[aq]s fine: we don\\[aq]t need to do anything in order\n" " to permit \\[aq]gid_map\\[aq] to be updated.\n" msgstr "" " /* Система может не поддерживать\n" " /proc/PID/setgroups. В этом случае файл не существует,\n" " и система не закладывает ограничений, добавленных в Linux 3.19.\n" " Хорошо, нам не нужно ничего делать, чтобы разрешить\n" " обновлять \\(aqgid_map\\(aq.\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " However, if the error from open() was something other than\n" " the ENOENT error that is expected for that case, let the\n" " user know. */\n" msgstr "" " Однако, если ошибка open() отличается от\n" " ENOENT, сообщим об этом пользователю. */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (errno != ENOENT)\n" " fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n" " strerror(errno));\n" " return;\n" " }\n" msgstr "" " if (errno != ENOENT)\n" " fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n" " strerror(errno));\n" " return;\n" " }\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (write(fd, str, strlen(str)) == -1)\n" " fprintf(stderr, \"ERROR: write %s: %s\\en\", setgroups_path,\n" " strerror(errno));\n" msgstr "" " if (write(fd, str, strlen(str)) == -1)\n" " fprintf(stderr, \"ОШИБКА: write %s: %s\\en\", setgroups_path,\n" " strerror(errno));\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "static int /* Start function for cloned child */\n" "childFunc(void *arg)\n" "{\n" " struct child_args *args = arg;\n" " char ch;\n" msgstr "" "static int /* Начальная функция клонированного потомка */\n" "childFunc(void *arg)\n" "{\n" " struct child_args *args = arg;\n" " char ch;\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " /* Wait until the parent has updated the UID and GID mappings.\n" " See the comment in main(). We wait for end of file on a\n" " pipe that will be closed by the parent process once it has\n" " updated the mappings. */\n" msgstr "" " /* Ждём пока родитель обновит отображения UID и GID.\n" " Смотрите комментарий в main(). Мы ждём конца файла в канале,\n" " который будет закрыт родительским процессом после обновления\n" " отображений. */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " close(args-Epipe_fd[1]); /* Close our descriptor for the write\n" " end of the pipe so that we see EOF\n" " when parent closes its descriptor. */\n" " if (read(args-Epipe_fd[0], &ch, 1) != 0) {\n" " fprintf(stderr,\n" " \"Failure in child: read from pipe returned != 0\\en\");\n" " exit(EXIT_FAILURE);\n" " }\n" msgstr "" " close(args-Epipe_fd[1]); /* закрываем наш дескриптор для записи\n" " конца канала для того, чтобы мы\n" " увидели EOF, когда родитель закроет\n" " свой дескриптор */\n" " if (read(args-Epipe_fd[0], &ch, 1) != 0) {\n" " fprintf(stderr,\n" " \"Ошибка в потомке: при чтении из канала получен != 0\\en\");\n" " exit(EXIT_FAILURE);\n" " }\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " close(args-Epipe_fd[0]);\n" msgstr " close(args-Epipe_fd[0]);\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " /* Execute a shell command. */\n" msgstr " /* Запускаем командную оболочку. */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " printf(\"About to exec %s\\en\", args-Eargv[0]);\n" " execvp(args-Eargv[0], args-Eargv);\n" " err(EXIT_FAILURE, \"execvp\");\n" "}\n" msgstr "" " printf(\"About to exec %s\\en\", args-Eargv[0]);\n" " execvp(args-Eargv[0], args-Eargv);\n" " err(EXIT_FAILURE, \"execvp\");\n" "}\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "#define STACK_SIZE (1024 * 1024)\n" msgstr "#define STACK_SIZE (1024 * 1024)\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, fuzzy, no-wrap #| msgid "static char child_stack[STACK_SIZE]; /* Space for child\\(aqs stack */\n" msgid "static char child_stack[STACK_SIZE]; /* Space for child\\[aq]s stack */\n" msgstr "static char child_stack[STACK_SIZE]; /* место под стек в потомке */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "int\n" "main(int argc, char *argv[])\n" "{\n" " int flags, opt, map_zero;\n" " pid_t child_pid;\n" " struct child_args args;\n" " char *uid_map, *gid_map;\n" " const int MAP_BUF_SIZE = 100;\n" " char map_buf[MAP_BUF_SIZE];\n" " char map_path[PATH_MAX];\n" msgstr "" "int\n" "main(int argc, char *argv[])\n" "{\n" " int flags, opt, map_zero;\n" " pid_t child_pid;\n" " struct child_args args;\n" " char *uid_map, *gid_map;\n" " const int MAP_BUF_SIZE = 100;\n" " char map_buf[MAP_BUF_SIZE];\n" " char map_path[PATH_MAX];\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, fuzzy, no-wrap #| msgid "" #| " /* Parse command-line options. The initial \\(aq+\\(aq character in\n" #| " the final getopt() argument prevents GNU-style permutation\n" #| " of command-line options. That\\(aqs useful, since sometimes\n" #| " the \\(aqcommand\\(aq to be executed by this program itself\n" #| " has command-line options. We don\\(aqt want getopt() to treat\n" #| " those as options to this program. */\n" msgid "" " /* Parse command-line options. The initial \\[aq]+\\[aq] character in\n" " the final getopt() argument prevents GNU-style permutation\n" " of command-line options. That\\[aq]s useful, since sometimes\n" " the \\[aq]command\\[aq] to be executed by this program itself\n" " has command-line options. We don\\[aq]t want getopt() to treat\n" " those as options to this program. */\n" msgstr "" " /* Разбираем параметры командной строки. Начальный символ «+» в\n" " последнем аргументе getopt() предотвращает подстановку параметров\n" " командной строки в стиле GNU. Это полезно, так как иногда\n" " «команда», выполняемая этой программой, сама имеет параметры\n" " командной строки. Мы не хотим, чтобы getopt() передала их\n" " нашей программе. */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, fuzzy, no-wrap #| msgid "" #| " flags = 0;\n" #| " verbose = 0;\n" #| " gid_map = NULL;\n" #| " uid_map = NULL;\n" #| " map_zero = 0;\n" #| " while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n" #| " switch (opt) {\n" #| " case \\(aqi\\(aq: flags |= CLONE_NEWIPC; break;\n" #| " case \\(aqm\\(aq: flags |= CLONE_NEWNS; break;\n" #| " case \\(aqn\\(aq: flags |= CLONE_NEWNET; break;\n" #| " case \\(aqp\\(aq: flags |= CLONE_NEWPID; break;\n" #| " case \\(aqu\\(aq: flags |= CLONE_NEWUTS; break;\n" #| " case \\(aqv\\(aq: verbose = 1; break;\n" #| " case \\(aqz\\(aq: map_zero = 1; break;\n" #| " case \\(aqM\\(aq: uid_map = optarg; break;\n" #| " case \\(aqG\\(aq: gid_map = optarg; break;\n" #| " case \\(aqU\\(aq: flags |= CLONE_NEWUSER; break;\n" #| " default: usage(argv[0]);\n" #| " }\n" #| " }\n" msgid "" " flags = 0;\n" " verbose = 0;\n" " gid_map = NULL;\n" " uid_map = NULL;\n" " map_zero = 0;\n" " while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n" " switch (opt) {\n" " case \\[aq]i\\[aq]: flags |= CLONE_NEWIPC; break;\n" " case \\[aq]m\\[aq]: flags |= CLONE_NEWNS; break;\n" " case \\[aq]n\\[aq]: flags |= CLONE_NEWNET; break;\n" " case \\[aq]p\\[aq]: flags |= CLONE_NEWPID; break;\n" " case \\[aq]u\\[aq]: flags |= CLONE_NEWUTS; break;\n" " case \\[aq]v\\[aq]: verbose = 1; break;\n" " case \\[aq]z\\[aq]: map_zero = 1; break;\n" " case \\[aq]M\\[aq]: uid_map = optarg; break;\n" " case \\[aq]G\\[aq]: gid_map = optarg; break;\n" " case \\[aq]U\\[aq]: flags |= CLONE_NEWUSER; break;\n" " default: usage(argv[0]);\n" " }\n" " }\n" msgstr "" " flags = 0;\n" " verbose = 0;\n" " gid_map = NULL;\n" " uid_map = NULL;\n" " map_zero = 0;\n" " while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n" " switch (opt) {\n" " case \\(aqi\\(aq: flags |= CLONE_NEWIPC; break;\n" " case \\(aqm\\(aq: flags |= CLONE_NEWNS; break;\n" " case \\(aqn\\(aq: flags |= CLONE_NEWNET; break;\n" " case \\(aqp\\(aq: flags |= CLONE_NEWPID; break;\n" " case \\(aqu\\(aq: flags |= CLONE_NEWUTS; break;\n" " case \\(aqv\\(aq: verbose = 1; break;\n" " case \\(aqz\\(aq: map_zero = 1; break;\n" " case \\(aqM\\(aq: uid_map = optarg; break;\n" " case \\(aqG\\(aq: gid_map = optarg; break;\n" " case \\(aqU\\(aq: flags |= CLONE_NEWUSER; break;\n" " default: usage(argv[0]);\n" " }\n" " }\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " /* -M or -G without -U is nonsensical */\n" msgstr " /* -M или -G без -U не имеют смысла */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n" " !(flags & CLONE_NEWUSER)) ||\n" " (map_zero && (uid_map != NULL || gid_map != NULL)))\n" " usage(argv[0]);\n" msgstr "" " if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n" " !(flags & CLONE_NEWUSER)) ||\n" " (map_zero && (uid_map != NULL || gid_map != NULL)))\n" " usage(argv[0]);\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " args.argv = &argv[optind];\n" msgstr " args.argv = &argv[optind];\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, fuzzy, no-wrap #| msgid "" #| " /* We use a pipe to synchronize the parent and child, in order to\n" #| " ensure that the parent sets the UID and GID maps before the child\n" #| " calls execve(). This ensures that the child maintains its\n" #| " capabilities during the execve() in the common case where we\n" #| " want to map the child\\(aqs effective user ID to 0 in the new user\n" #| " namespace. Without this synchronization, the child would lose\n" #| " its capabilities if it performed an execve() with nonzero\n" #| " user IDs (see the capabilities(7) man page for details of the\n" #| " transformation of a process\\(aqs capabilities during execve()). */\n" msgid "" " /* We use a pipe to synchronize the parent and child, in order to\n" " ensure that the parent sets the UID and GID maps before the child\n" " calls execve(). This ensures that the child maintains its\n" " capabilities during the execve() in the common case where we\n" " want to map the child\\[aq]s effective user ID to 0 in the new user\n" " namespace. Without this synchronization, the child would lose\n" " its capabilities if it performed an execve() with nonzero\n" " user IDs (see the capabilities(7) man page for details of the\n" " transformation of a process\\[aq]s capabilities during execve()). */\n" msgstr "" " /* Мы используем канал для синхронизации родителя и потомка, чтобы\n" " родитель настроил отображения UID и GID до того, как потомок\n" " вызовет execve(). Это гарантирует, что потомок предъявит свои\n" " мандаты при execve(); обычно мы хотим отобразить эффективный\n" " пользовательский ID потомка в 0 в новом пользовательском\n" " пространстве имён. Без этой синхронизации потомок потерял\n" " бы свои мандаты при вызове execve() с ненулевым пользовательским\n" " ID (смотрите в справочной странице capabilities(7) подробности\n" " преобразования мандатов процесса при execve()). */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (pipe(args.pipe_fd) == -1)\n" " err(EXIT_FAILURE, \"pipe\");\n" msgstr "" " if (pipe(args.pipe_fd) == -1)\n" " err(EXIT_FAILURE, \"pipe\");\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " /* Create the child in new namespace(s). */\n" msgstr " /* создаём потомка в новом пространстве имён */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " child_pid = clone(childFunc, child_stack + STACK_SIZE,\n" " flags | SIGCHLD, &args);\n" " if (child_pid == -1)\n" " err(EXIT_FAILURE, \"clone\");\n" msgstr "" " child_pid = clone(childFunc, child_stack + STACK_SIZE,\n" " flags | SIGCHLD, &args);\n" " if (child_pid == -1)\n" " err(EXIT_FAILURE, \"clone\");\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " /* Parent falls through to here. */\n" msgstr " /* предок попадает сюда. */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (verbose)\n" " printf(\"%s: PID of child created by clone() is %jd\\en\",\n" " argv[0], (intmax_t) child_pid);\n" msgstr "" " if (verbose)\n" " printf(\"%s: PID потомка, созданного clone(): %jd\\en\",\n" " argv[0], (intmax_t) child_pid);\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " /* Update the UID and GID maps in the child. */\n" msgstr " /* обновляем отображения UID и GID в потомке */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (uid_map != NULL || map_zero) {\n" " snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n" " (intmax_t) child_pid);\n" " if (map_zero) {\n" " snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n" " (intmax_t) getuid());\n" " uid_map = map_buf;\n" " }\n" " update_map(uid_map, map_path);\n" " }\n" msgstr "" " if (uid_map != NULL || map_zero) {\n" " snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n" " (intmax_t) child_pid);\n" " if (map_zero) {\n" " snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n" " (intmax_t) getuid());\n" " uid_map = map_buf;\n" " }\n" " update_map(uid_map, map_path);\n" " }\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (gid_map != NULL || map_zero) {\n" " proc_setgroups_write(child_pid, \"deny\");\n" msgstr "" " if (gid_map != NULL || map_zero) {\n" " proc_setgroups_write(child_pid, \"deny\");\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n" " (intmax_t) child_pid);\n" " if (map_zero) {\n" " snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n" " (intmax_t) getgid());\n" " gid_map = map_buf;\n" " }\n" " update_map(gid_map, map_path);\n" " }\n" msgstr "" " snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n" " (intmax_t) child_pid);\n" " if (map_zero) {\n" " snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n" " (intmax_t) getgid());\n" " gid_map = map_buf;\n" " }\n" " update_map(gid_map, map_path);\n" " }\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " /* Close the write end of the pipe, to signal to the child that we\n" " have updated the UID and GID maps. */\n" msgstr "" " /* закрываем конец канала на стороне записи для сообщения потомку\n" " о том, что мы обновили отображения UID и GID */\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " close(args.pipe_fd[1]);\n" msgstr " close(args.pipe_fd[1]);\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (waitpid(child_pid, NULL, 0) == -1) /* Wait for child */\n" " err(EXIT_FAILURE, \"waitpid\");\n" msgstr "" " if (waitpid(child_pid, NULL, 0) == -1) /* ждём потомка */\n" " err(EXIT_FAILURE, \"waitpid\");\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (verbose)\n" " printf(\"%s: terminating\\en\", argv[0]);\n" msgstr "" " if (verbose)\n" " printf(\"%s: завершение\\en\", argv[0]);\n" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " exit(EXIT_SUCCESS);\n" "}\n" msgstr "" " exit(EXIT_SUCCESS);\n" "}\n" #. type: TH #: debian-unstable opensuse-tumbleweed #, no-wrap msgid "2023-05-03" msgstr "3 мая 2023 г." #. type: TH #: debian-unstable opensuse-tumbleweed #, no-wrap msgid "Linux man-pages 6.05.01" msgstr "Linux man-pages 6.05.01" #. type: TH #: opensuse-leap-15-6 #, no-wrap msgid "2023-04-01" msgstr "1 апреля 2023 г." #. type: TH #: opensuse-leap-15-6 #, no-wrap msgid "Linux man-pages 6.04" msgstr "Linux man-pages 6.04"