# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2024-03-01 17:13+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: TH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "user_namespaces" msgstr "" #. type: TH #: archlinux fedora-40 fedora-rawhide mageia-cauldron #, no-wrap msgid "2023-10-31" msgstr "" #. type: TH #: archlinux fedora-40 fedora-rawhide mageia-cauldron #, no-wrap msgid "Linux man-pages 6.06" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "NAME" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "user_namespaces - overview of Linux user namespaces" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "DESCRIPTION" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "For an overview of namespaces, see B(7)." msgstr "" # #. FIXME: This page says very little about the interaction #. of user namespaces and keys. Add something on this topic. #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "User namespaces isolate security-related identifiers and attributes, in " "particular, user IDs and group IDs (see B(7)), the root " "directory, keys (see B(7)), and capabilities (see " "B(7)). A process's user and group IDs can be different inside " "and outside a user namespace. In particular, a process can have a normal " "unprivileged user ID outside a user namespace while at the same time having " "a user ID of 0 inside the namespace; in other words, the process has full " "privileges for operations inside the user namespace, but is unprivileged for " "operations outside the namespace." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Nested namespaces, namespace membership" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "User namespaces can be nested; that is, each user namespace\\[em]except the " "initial (\"root\") namespace\\[em]has a parent user namespace, and can have " "zero or more child user namespaces. The parent user namespace is the user " "namespace of the process that creates the user namespace via a call to " "B(2) or B(2) with the B flag." msgstr "" #. commit 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 #. FIXME Explain the rationale for this limit. (What is the rationale?) #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The kernel imposes (since Linux 3.11) a limit of 32 nested levels of user " "namespaces. Calls to B(2) or B(2) that would cause this " "limit to be exceeded fail with the error B." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Each process is a member of exactly one user namespace. A process created " "via B(2) or B(2) without the B flag is a " "member of the same user namespace as its parent. A single-threaded process " "can join another user namespace with B(2) if it has the " "B in that namespace; upon doing so, it gains a full set of " "capabilities in that namespace." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A call to B(2) or B(2) with the B flag " "makes the new child process (for B(2)) or the caller (for " "B(2)) a member of the new user namespace created by the call." msgstr "" # #-#-#-#-# debian-bookworm: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# # #. #-#-#-#-# archlinux: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #. #-#-#-#-# debian-bookworm: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. ============================================================ #. type: Plain text #. #-#-#-#-# debian-unstable: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #. #-#-#-#-# fedora-40: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #. #-#-#-#-# fedora-rawhide: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #. #-#-#-#-# mageia-cauldron: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #. #-#-#-#-# opensuse-leap-15-6: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #. #-#-#-#-# opensuse-tumbleweed: user_namespaces.7.pot (PACKAGE VERSION) #-#-#-#-# #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The B B(2) operation can be used to discover the " "parental relationship between user namespaces; see B(2)." msgstr "" # #. ============================================================ #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A task that changes one of its effective IDs will have its dumpability reset " "to the value in I. This may affect the " "ownership of proc files of child processes and may thus cause the parent to " "lack the permissions to write to mapping files of child processes running in " "a new user namespace. In such cases making the parent process dumpable, " "using B in a call to B(2), before creating a child " "process in a new user namespace may rectify this problem. See B(2) " "and B(5) for details on how ownership is affected." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Capabilities" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The child process created by B(2) with the B flag " "starts out with a complete set of capabilities in the new user namespace. " "Likewise, a process that creates a new user namespace using B(2) " "or joins an existing user namespace using B(2) gains a full set of " "capabilities in that namespace. On the other hand, that process has no " "capabilities in the parent (in the case of B(2)) or previous (in the " "case of B(2) and B(2)) user namespace, even if the new " "namespace is created or joined by the root user (i.e., a process with user " "ID 0 in the root namespace)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that a call to B(2) will cause a process's capabilities to be " "recalculated in the usual way (see B(7)). Consequently, " "unless the process has a user ID of 0 within the namespace, or the " "executable file has a nonempty inheritable capabilities mask, the process " "will lose all capabilities. See the discussion of user and group ID " "mappings, below." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A call to B(2) or B(2) using the B flag or " "a call to B(2) that moves the caller into another user namespace " "sets the \"securebits\" flags (see B(7)) to their default " "values (all flags disabled) in the child (for B(2)) or caller (for " "B(2) or B(2)). Note that because the caller no longer has " "capabilities in its original user namespace after a call to B(2), it " "is not possible for a process to reset its \"securebits\" flags while " "retaining its user namespace membership by using a pair of B(2) " "calls to move to another user namespace and then return to its original user " "namespace." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The rules for determining whether or not a process has a capability in a " "particular user namespace are as follows:" msgstr "" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "\\[bu]" msgstr "" #. In the 3.8 sources, see security/commoncap.c::cap_capable(): #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A process has a capability inside a user namespace if it is a member of that " "namespace and it has the capability in its effective capability set. A " "process can gain capabilities in its effective capability set in various " "ways. For example, it may execute a set-user-ID program or an executable " "with associated file capabilities. In addition, a process may gain " "capabilities via the effect of B(2), B(2), or B(2), " "as already described." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If a process has a capability in a user namespace, then it has that " "capability in all child (and further removed descendant) namespaces as well." msgstr "" # #. * The owner of the user namespace in the parent of the #. * user namespace has all caps. #. (and likewise associates the effective group ID of the creating process #. with the namespace). #. See kernel commit 520d9eabce18edfef76a60b7b839d54facafe1f9 for a fix #. on this point #. This includes the case where the process executes a set-user-ID #. program that confers the effective UID of the creator of the namespace. #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a user namespace is created, the kernel records the effective user ID " "of the creating process as being the \"owner\" of the namespace. A process " "that resides in the parent of the user namespace and whose effective user ID " "matches the owner of the namespace has all capabilities in the namespace. " "By virtue of the previous rule, this means that the process has all " "capabilities in all further removed descendant user namespaces as well. The " "B B(2) operation can be used to discover the user " "ID of the owner of the namespace; see B(2)." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Effect of capabilities within a user namespace" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Having a capability inside a user namespace permits a process to perform " "operations (that require privilege) only on resources governed by that " "namespace. In other words, having a capability in a user namespace permits " "a process to perform privileged operations on resources that are governed by " "(nonuser) namespaces owned by (associated with) the user namespace (see the " "next subsection)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "On the other hand, there are many privileged operations that affect " "resources that are not associated with any namespace type, for example, " "changing the system (i.e., calendar) time (governed by B), " "loading a kernel module (governed by B), and creating a " "device (governed by B). Only a process with privileges in the " "I user namespace can perform such operations." msgstr "" #. fs_flags = FS_USERNS_MOUNT in kernel sources #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Holding B within the user namespace that owns a process's " "mount namespace allows that process to create bind mounts and mount the " "following types of filesystems:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 3.8)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 3.8)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 3.9)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "B(5) (since Linux 3.9)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 3.9)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 3.9)" msgstr "" #. commit b2197755b2633e164a439682fb05a9b5ea48f706 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 4.4)" msgstr "" #. commit 92dbc9dedccb9759c7f9f2f0ae6242396376988f #. commit 4cb2c00c43b3fe88b32f29df4f76da1b92c33224 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I (since Linux 5.11)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Holding B within the user namespace that owns a process's " "cgroup namespace allows (since Linux 4.6) that process to the mount the " "cgroup version 2 filesystem and cgroup version 1 named hierarchies (i.e., " "cgroup filesystems mounted with the I<\"none,name=\"> option)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Holding B within the user namespace that owns a process's PID " "namespace allows (since Linux 3.8) that process to mount I " "filesystems." msgstr "" # #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note, however, that mounting block-based filesystems can be done only by a " "process that holds B in the initial user namespace." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Interaction of user namespaces and other types of namespaces" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Starting in Linux 3.8, unprivileged processes can create user namespaces, " "and the other types of namespaces can be created with just the " "B capability in the caller's user namespace." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a nonuser namespace is created, it is owned by the user namespace in " "which the creating process was a member at the time of the creation of the " "namespace. Privileged operations on resources governed by the nonuser " "namespace require that the process has the necessary capabilities in the " "user namespace that owns the nonuser namespace." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If B is specified along with other B flags in a " "single B(2) or B(2) call, the user namespace is guaranteed " "to be created first, giving the child (B(2)) or caller " "(B(2)) privileges over the remaining namespaces created by the " "call. Thus, it is possible for an unprivileged caller to specify this " "combination of flags." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a new namespace (other than a user namespace) is created via " "B(2) or B(2), the kernel records the user namespace of the " "creating process as the owner of the new namespace. (This association can't " "be changed.) When a process in the new namespace subsequently performs " "privileged operations that operate on global resources isolated by the " "namespace, the permission checks are performed according to the process's " "capabilities in the user namespace that the kernel associated with the new " "namespace. For example, suppose that a process attempts to change the " "hostname (B(2)), a resource governed by the UTS namespace. In " "this case, the kernel will determine which user namespace owns the process's " "UTS namespace, and check whether the process has the required capability " "(B) in that user namespace." msgstr "" # #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The B B(2) operation can be used to discover the user " "namespace that owns a nonuser namespace; see B(2)." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "User and group ID mappings: uid_map and gid_map" msgstr "" #. commit 22d917d80e842829d0ca0a561967d728eb1d6303 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a user namespace is created, it starts out without a mapping of user " "IDs (group IDs) to the parent user namespace. The IpidI " "and IpidI files (available since Linux 3.5) expose the " "mappings for user and group IDs inside the user namespace for the process " "I. These files can be read to view the mappings in a user namespace " "and written to (once) to define the mappings." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The description in the following paragraphs explains the details for " "I; I is exactly the same, but each instance of \"user ID\" " "is replaced by \"group ID\"." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The I file exposes the mapping of user IDs from the user namespace " "of the process I to the user namespace of the process that opened " "I (but see a qualification to this point below). In other words, " "processes that are in different user namespaces will potentially see " "different values when reading from a particular I file, depending " "on the user ID mappings for the user namespaces of the reading processes." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Each line in the I file specifies a 1-to-1 mapping of a range of " "contiguous user IDs between two user namespaces. (When a user namespace is " "first created, this file is empty.) The specification in each line takes " "the form of three numbers delimited by white space. The first two numbers " "specify the starting user ID in each of the two user namespaces. The third " "number specifies the length of the mapped range. In detail, the fields are " "interpreted as follows:" msgstr "" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "(1)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The start of the range of user IDs in the user namespace of the process " "I." msgstr "" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "(2)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The start of the range of user IDs to which the user IDs specified by field " "one map. How field two is interpreted depends on whether the process that " "opened I and the process I are in the same user namespace, as " "follows:" msgstr "" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "(a)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If the two processes are in different user namespaces: field two is the " "start of a range of user IDs in the user namespace of the process that " "opened I." msgstr "" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "(b)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If the two processes are in the same user namespace: field two is the start " "of the range of user IDs in the parent user namespace of the process " "I. This case enables the opener of I (the common case here is " "opening I) to see the mapping of user IDs into the user " "namespace of the process that created this user namespace." msgstr "" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "(3)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The length of the range of user IDs that is mapped between the two user " "namespaces." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "System calls that return user IDs (group IDs)\\[em]for example, " "B(2), B(2), and the credential fields in the structure " "returned by B(2)\\[em]return the user ID (group ID) mapped into the " "caller's user namespace." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a process accesses a file, its user and group IDs are mapped into the " "initial user namespace for the purpose of permission checking and assigning " "IDs when creating a file. When a process retrieves file user and group IDs " "via B(2), the IDs are mapped in the opposite direction, to produce " "values relative to the process user and group ID mappings." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The initial user namespace has no parent namespace, but, for consistency, " "the kernel provides dummy user and group ID mapping files for this " "namespace. Looking at the I file (I is the same) from a " "shell in the initial namespace shows:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "$ B\n" " 0 0 4294967295\n" msgstr "" # #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This mapping tells us that the range starting at user ID 0 in this namespace " "maps to a range starting at 0 in the (nonexistent) parent namespace, and the " "length of the range is the largest 32-bit unsigned integer. This leaves " "4294967295 (the 32-bit signed -1 value) unmapped. This is deliberate: " "I<(uid_t)\\~-1> is used in several interfaces (e.g., B(2)) as a " "way to specify \"no user ID\". Leaving I<(uid_t)\\~-1> unmapped and " "unusable guarantees that there will be no confusion when using these " "interfaces." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Defining user and group ID mappings: writing to uid_map and gid_map" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "After the creation of a new user namespace, the I file of I of " "the processes in the namespace may be written to I to define the " "mapping of user IDs in the new user namespace. An attempt to write more " "than once to a I file in a user namespace fails with the error " "B. Similar rules apply for I files." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The lines written to I (I) must conform to the following " "validity rules:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The three fields must be valid numbers, and the last field must be greater " "than 0." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Lines are terminated by newline characters." msgstr "" #. 5*12-byte records could fit in a 64B cache line #. commit 6397fac4915ab3002dc15aae751455da1a852f25 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "There is a limit on the number of lines in the file. In Linux 4.14 and " "earlier, this limit was (arbitrarily) set at 5 lines. Since Linux 4.15, " "the limit is 340 lines. In addition, the number of bytes written to the " "file must be less than the system page size, and the write must be performed " "at the start of the file (i.e., B(2) and B(2) can't be used " "to write to nonzero offsets in the file)." msgstr "" #. commit 0bd14b4fd72afd5df41e9fd59f356740f22fceba #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The range of user IDs (group IDs) specified in each line cannot overlap " "with the ranges in any other lines. In the initial implementation (Linux " "3.8), this requirement was satisfied by a simplistic implementation that " "imposed the further requirement that the values in both field 1 and field 2 " "of successive lines must be in ascending numerical order, which prevented " "some otherwise valid maps from being created. Linux 3.9 and later fix this " "limitation, allowing any valid set of nonoverlapping maps." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "At least one line must be written to the file." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Writes that violate the above rules fail with the error B." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "In order for a process to write to the IpidI (IpidI) file, all of the following permission requirements must be " "met:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The writing process must have the B (B) capability " "in the user namespace of the process I." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The writing process must either be in the user namespace of the process " "I or be in the parent user namespace of the process I." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The mapped user IDs (group IDs) must in turn have a mapping in the parent " "user namespace." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If updating IpidI to create a mapping that maps UID 0 in " "the parent namespace, then one of the following must be true:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "if writing process is in the parent user namespace, then it must have the " "B capability in that user namespace; or" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "if the writing process is in the child user namespace, then the process that " "created the user namespace must have had the B capability when " "the namespace was created." msgstr "" #. commit db2e718a47984b9d71ed890eb2ea36ecf150de18 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This rule has been in place since Linux 5.12. It eliminates an earlier " "security bug whereby a UID 0 process that lacks the B " "capability, which is needed to create a binary with namespaced file " "capabilities (as described in B(7)), could nevertheless create " "such a binary, by the following steps:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Create a new user namespace with the identity mapping (i.e., UID 0 in the " "new user namespace maps to UID 0 in the parent namespace), so that UID 0 in " "both namespaces is equivalent to the same root user ID." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Since the child process has the B capability, it could create a " "binary with namespaced file capabilities that would then be effective in the " "parent user namespace (because the root user IDs are the same in the two " "namespaces)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "One of the following two cases applies:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I the writing process has the B (B) " "capability in the I user namespace." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "No further restrictions apply: the process can make mappings to arbitrary " "user IDs (group IDs) in the parent user namespace." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I otherwise all of the following restrictions apply:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The data written to I (I) must consist of a single line " "that maps the writing process's effective user ID (group ID) in the parent " "user namespace to a user ID (group ID) in the user namespace." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The writing process must have the same effective user ID as the process that " "created the user namespace." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "In the case of I, use of the B(2) system call must " "first be denied by writing \\[dq]I\\[dq] to the IpidI file (see below) before writing to I." msgstr "" # #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Writes that violate the above rules fail with the error B." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Project ID mappings: projid_map" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Similarly to user and group ID mappings, it is possible to create project ID " "mappings for a user namespace. (Project IDs are used for disk quotas; see " "B(8) and B(2).)" msgstr "" #. commit f76d207a66c3a53defea67e7d36c3eb1b7d6d61d #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Project ID mappings are defined by writing to the IpidI " "file (present since Linux 3.7)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The validity rules for writing to the IpidI file are as " "for writing to the I file; violation of these rules causes " "B(2) to fail with the error B." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The permission rules for writing to the IpidI file are " "as follows:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The mapped project IDs must in turn have a mapping in the parent user " "namespace." msgstr "" # #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Violation of these rules causes B(2) to fail with the error B." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Interaction with system calls that change process UIDs or GIDs" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "In a user namespace where the I file has not been written, the " "system calls that change user IDs will fail. Similarly, if the I " "file has not been written, the system calls that change group IDs will " "fail. After the I and I files have been written, only the " "mapped values may be used in system calls that change user and group IDs." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "For user IDs, the relevant system calls include B(2), " "B(2), B(2), and B(2). For group IDs, the " "relevant system calls include B(2), B(2), B(2), " "B(2), and B(2)." msgstr "" # #. Things changed in Linux 3.19 #. commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8 #. commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272 #. http://lwn.net/Articles/626665/ #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Writing \\[dq]I\\[dq] to the IpidI file before " "writing to IpidI will permanently disable B(2) " "in a user namespace and allow writing to IpidI without " "having the B capability in the parent user namespace." msgstr "" #. type: SS #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "The IpidI file" msgstr "" # #. commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8 #. commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272 #. http://lwn.net/Articles/626665/ #. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8989 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The IpidI file displays the string \\[dq]I\\[dq] " "if processes in the user namespace that contains the process I are " "permitted to employ the B(2) system call; it displays " "\\[dq]I\\[dq] if B(2) is not permitted in that user " "namespace. Note that regardless of the value in the IpidI file (and regardless of the process's capabilities), calls to " "B(2) are also not permitted if IpidI has not " "yet been set." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A privileged process (one with the B capability in the " "namespace) may write either of the strings \\[dq]I\\[dq] or " "\\[dq]I\\[dq] to this file I writing a group ID mapping for " "this user namespace to the file IpidI. Writing the string " "\\[dq]I\\[dq] prevents any process in the user namespace from " "employing B(2)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The essence of the restrictions described in the preceding paragraph is that " "it is permitted to write to IpidI only so long as " "calling B(2) is disallowed because IpidI has " "not been set. This ensures that a process cannot transition from a state " "where B(2) is allowed to a state where B(2) is " "denied; a process can transition only from B(2) being disallowed " "to B(2) being allowed." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The default value of this file in the initial user namespace is " "\\[dq]I\\[dq]." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Once IpidI has been written to (which has the effect of " "enabling B(2) in the user namespace), it is no longer possible " "to disallow B(2) by writing \\[dq]I\\[dq] to IpidI (the write fails with the error B)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A child user namespace inherits the IpidI setting from " "its parent." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If the I file has the value \\[dq]I\\[dq], then the " "B(2) system call can't subsequently be reenabled (by writing " "\\[dq]I\\[dq] to the file) in this user namespace. (Attempts to do " "so fail with the error B.) This restriction also propagates down to " "all child user namespaces of this user namespace." msgstr "" # # # # #. /proc/PID/setgroups #. [allow == setgroups() is allowed, "deny" == setgroups() is disallowed] #. * Can write if have CAP_SYS_ADMIN in NS #. * Must write BEFORE writing to /proc/PID/gid_map #. setgroups() #. * Must already have written to gid_map #. * /proc/PID/setgroups must be "allow" #. /proc/PID/gid_map -- writing #. * Must already have written "deny" to /proc/PID/setgroups #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The IpidI file was added in Linux 3.19, but was " "backported to many earlier stable kernel series, because it addresses a " "security issue. The issue concerned files with permissions such as \"rwx---" "rwx\". Such files give fewer permissions to \"group\" than they do to " "\"other\". This means that dropping groups using B(2) might " "allow a process file access that it did not formerly have. Before the " "existence of user namespaces this was not a concern, since only a privileged " "process (one with the B capability) could call B(2). " "However, with the introduction of user namespaces, it became possible for an " "unprivileged process to create a new namespace in which the user had all " "privileges. This then allowed formerly unprivileged users to drop groups " "and thus gain file access that they did not previously have. The IpidI file was added to address this security issue, by denying " "any pathway for an unprivileged process to drop groups with B(2)." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Unmapped user and group IDs" msgstr "" #. from_kuid_munged(), from_kgid_munged() #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "There are various places where an unmapped user ID (group ID) may be " "exposed to user space. For example, the first process in a new user " "namespace may call B(2) before a user ID mapping has been defined " "for the namespace. In most such cases, an unmapped user ID is converted to " "the overflow user ID (group ID); the default value for the overflow user ID " "(group ID) is 65534. See the descriptions of I and I in B(5)." msgstr "" #. also SO_PEERCRED #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The cases where unmapped IDs are mapped in this fashion include system calls " "that return user IDs (B(2), B(2), and similar), credentials " "passed over a UNIX domain socket, credentials returned by B(2), " "B(2), and the System V IPC \"ctl\" B operations, " "credentials exposed by IpidI and the files in I, credentials returned via the I field in the I " "received with a signal (see B(2)), credentials written to the " "process accounting file (see B(5)), and credentials returned with " "POSIX message queue notifications (see B(3))." msgstr "" # #. from_kuid(), from_kgid() #. Also F_GETOWNER_UIDS is an exception #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "There is one notable case where unmapped user and group IDs are I " "converted to the corresponding overflow ID value. When viewing a I " "or I file in which there is no mapping for the second field, that " "field is displayed as 4294967295 (-1 as an unsigned integer)." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Accessing files" msgstr "" # #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "In order to determine permissions when an unprivileged process accesses a " "file, the process credentials (UID, GID) and the file credentials are in " "effect mapped back to what they would be in the initial user namespace and " "then compared to determine the permissions that the process has on the " "file. The same is also true of other objects that employ the credentials " "plus permissions mask accessibility model, such as System V IPC objects." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Operation of file-related capabilities" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Certain capabilities allow a process to bypass various kernel-enforced " "restrictions when performing operations on files owned by other users or " "groups. These capabilities are: B, B, " "B, B, and B." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Within a user namespace, these capabilities allow a process to bypass the " "rules if the process has the relevant capability over the file, meaning that:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "the process has the relevant effective capability in its user namespace; and" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "the file's user ID and group ID both have valid mappings in the user " "namespace." msgstr "" # #. These are the checks performed by the kernel function #. inode_owner_or_capable(). There is one exception to the exception: #. overriding the directory sticky permission bit requires that #. the file has a valid mapping for both its UID and GID. #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The B capability is treated somewhat exceptionally: it allows a " "process to bypass the corresponding rules so long as at least the file's " "user ID has a mapping in the user namespace (i.e., the file's group ID does " "not need to have a valid mapping)." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Set-user-ID and set-group-ID programs" msgstr "" # #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a process inside a user namespace executes a set-user-ID (set-group-ID) " "program, the process's effective user (group) ID inside the namespace is " "changed to whatever value is mapped for the user (group) ID of the file. " "However, if either the user I the group ID of the file has no mapping " "inside the namespace, the set-user-ID (set-group-ID) bit is silently " "ignored: the new program is executed, but the process's effective user " "(group) ID is left unchanged. (This mirrors the semantics of executing a " "set-user-ID or set-group-ID program that resides on a filesystem that was " "mounted with the B flag, as described in B(2).)" msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Miscellaneous" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When a process's user and group IDs are passed over a UNIX domain socket to " "a process in a different user namespace (see the description of " "B in B(7)), they are translated into the " "corresponding values as per the receiving process's user and group ID " "mappings." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "STANDARDS" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "Linux." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "NOTES" msgstr "" # #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Over the years, there have been a lot of features that have been added to " "the Linux kernel that have been made available only to privileged users " "because of their potential to confuse set-user-ID-root applications. In " "general, it becomes safe to allow the root user in a user namespace to use " "those features because it is impossible, while in a user namespace, to gain " "more privilege than the root user of a user namespace has." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Global root" msgstr "" # #. ============================================================ #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The term \"global root\" is sometimes used as a shorthand for user ID 0 in " "the initial user namespace." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Availability" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Use of user namespaces requires a kernel that is configured with the " "B option. User namespaces require support in a range of " "subsystems across the kernel. When an unsupported subsystem is configured " "into the kernel, it is not possible to configure user namespaces support." msgstr "" #. commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "As at Linux 3.8, most relevant subsystems supported user namespaces, but a " "number of filesystems did not have the infrastructure needed to map user and " "group IDs between user namespaces. Linux 3.9 added the required " "infrastructure support for many of the remaining unsupported filesystems " "(Plan 9 (9P), Andrew File System (AFS), Ceph, CIFS, CODA, NFS, and OCFS2). " "Linux 3.12 added support for the last of the unsupported major filesystems, " "XFS." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "EXAMPLES" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The program below is designed to allow experimenting with user namespaces, " "as well as other types of namespaces. It creates namespaces as specified by " "command-line options and then executes a command inside those namespaces. " "The comments and I() function inside the program provide a full " "explanation of the program. The following shell session demonstrates its " "use." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "First, we look at the run-time environment:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "$ B # Need Linux 3.8 or later\n" "Linux 3.8.0\n" "$ B # Running as unprivileged user\n" "1000\n" "$ B\n" "1000\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Now start a new shell in new user (I<-U>), mount (I<-m>), and PID (I<-p>) " "namespaces, with user ID (I<-M>) and group ID (I<-G>) 1000 mapped to 0 " "inside the user namespace:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "$ B<./userns_child_exec -p -m -U -M \\[aq]0 1000 1\\[aq] -G \\[aq]0 1000 1\\[aq] bash>\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The shell has PID 1, because it is the first process in the new PID " "namespace:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "bash$ B\n" "1\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Mounting a new I filesystem and listing all of the processes visible " "in the new PID namespace shows that the shell can't see any processes " "outside the PID namespace:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "bash$ B\n" "bash$ B\n" " PID TTY STAT TIME COMMAND\n" " 1 pts/3 S 0:00 bash\n" " 22 pts/3 R+ 0:00 ps ax\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Inside the user namespace, the shell has user and group ID 0, and a full set " "of permitted and effective capabilities:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "bash$ B\n" "Uid:\t0\t0\t0\t0\n" "Gid:\t0\t0\t0\t0\n" "bash$ B\n" "CapInh:\t0000000000000000\n" "CapPrm:\t0000001fffffffff\n" "CapEff:\t0000001fffffffff\n" msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Program source" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed #, no-wrap msgid "" "/* userns_child_exec.c\n" "\\&\n" " Licensed under GNU General Public License v2 or later\n" "\\&\n" " Create a child process that executes a shell command in new\n" " namespace(s); allow UID and GID mappings to be specified when\n" " creating a user namespace.\n" "*/\n" "#define _GNU_SOURCE\n" "#include Eerr.hE\n" "#include Esched.hE\n" "#include Eunistd.hE\n" "#include Estdint.hE\n" "#include Estdlib.hE\n" "#include Esys/wait.hE\n" "#include Esignal.hE\n" "#include Efcntl.hE\n" "#include Estdio.hE\n" "#include Estring.hE\n" "#include Elimits.hE\n" "#include Eerrno.hE\n" "\\&\n" "struct child_args {\n" " char **argv; /* Command to be executed by child, with args */\n" " int pipe_fd[2]; /* Pipe used to synchronize parent and child */\n" "};\n" "\\&\n" "static int verbose;\n" "\\&\n" "static void\n" "usage(char *pname)\n" "{\n" " fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n" " fprintf(stderr, \"Create a child process that executes a shell \"\n" " \"command in a new user namespace,\\en\"\n" " \"and possibly also other new namespace(s).\\en\\en\");\n" " fprintf(stderr, \"Options can be:\\en\\en\");\n" "#define fpe(str) fprintf(stderr, \" %s\", str);\n" " fpe(\"-i New IPC namespace\\en\");\n" " fpe(\"-m New mount namespace\\en\");\n" " fpe(\"-n New network namespace\\en\");\n" " fpe(\"-p New PID namespace\\en\");\n" " fpe(\"-u New UTS namespace\\en\");\n" " fpe(\"-U New user namespace\\en\");\n" " fpe(\"-M uid_map Specify UID map for user namespace\\en\");\n" " fpe(\"-G gid_map Specify GID map for user namespace\\en\");\n" " fpe(\"-z Map user\\[aq]s UID and GID to 0 in user namespace\\en\");\n" " fpe(\" (equivalent to: -M \\[aq]0 EuidE 1\\[aq] -G \\[aq]0 EgidE 1\\[aq])\\en\");\n" " fpe(\"-v Display verbose messages\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n" " fpe(\"It is not permitted to specify both -z and either -M or -G.\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"Map strings for -M and -G consist of records of the form:\\en\");\n" " fpe(\"\\en\");\n" " fpe(\" ID-inside-ns ID-outside-ns len\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"A map string can contain multiple records, separated\"\n" " \" by commas;\\en\");\n" " fpe(\"the commas are replaced by newlines before writing\"\n" " \" to map files.\\en\");\n" "\\&\n" " exit(EXIT_FAILURE);\n" "}\n" "\\&\n" "/* Update the mapping file \\[aq]map_file\\[aq], with the value provided in\n" " \\[aq]mapping\\[aq], a string that defines a UID or GID mapping. A UID or\n" " GID mapping consists of one or more newline-delimited records\n" " of the form:\n" "\\&\n" " ID_inside-ns ID-outside-ns length\n" "\\&\n" " Requiring the user to supply a string that contains newlines is\n" " of course inconvenient for command-line use. Thus, we permit the\n" " use of commas to delimit records in this string, and replace them\n" " with newlines before writing the string to the file. */\n" "\\&\n" "static void\n" "update_map(char *mapping, char *map_file)\n" "{\n" " int fd;\n" " size_t map_len; /* Length of \\[aq]mapping\\[aq] */\n" "\\&\n" " /* Replace commas in mapping string with newlines. */\n" "\\&\n" " map_len = strlen(mapping);\n" " for (size_t j = 0; j E map_len; j++)\n" " if (mapping[j] == \\[aq],\\[aq])\n" " mapping[j] = \\[aq]\\en\\[aq];\n" "\\&\n" " fd = open(map_file, O_RDWR);\n" " if (fd == -1) {\n" " fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n" " strerror(errno));\n" " exit(EXIT_FAILURE);\n" " }\n" "\\&\n" " if (write(fd, mapping, map_len) != map_len) {\n" " fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n" " strerror(errno));\n" " exit(EXIT_FAILURE);\n" " }\n" "\\&\n" " close(fd);\n" "}\n" "\\&\n" "/* Linux 3.19 made a change in the handling of setgroups(2) and\n" " the \\[aq]gid_map\\[aq] file to address a security issue. The issue\n" " allowed *unprivileged* users to employ user namespaces in\n" " order to drop groups. The upshot of the 3.19 changes is that\n" " in order to update the \\[aq]gid_maps\\[aq] file, use of the setgroups()\n" " system call in this user namespace must first be disabled by\n" " writing \"deny\" to one of the /proc/PID/setgroups files for\n" " this namespace. That is the purpose of the following function. */\n" "\\&\n" "static void\n" "proc_setgroups_write(pid_t child_pid, char *str)\n" "{\n" " char setgroups_path[PATH_MAX];\n" " int fd;\n" "\\&\n" " snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n" " (intmax_t) child_pid);\n" "\\&\n" " fd = open(setgroups_path, O_RDWR);\n" " if (fd == -1) {\n" "\\&\n" " /* We may be on a system that doesn\\[aq]t support\n" " /proc/PID/setgroups. In that case, the file won\\[aq]t exist,\n" " and the system won\\[aq]t impose the restrictions that Linux 3.19\n" " added. That\\[aq]s fine: we don\\[aq]t need to do anything in order\n" " to permit \\[aq]gid_map\\[aq] to be updated.\n" "\\&\n" " However, if the error from open() was something other than\n" " the ENOENT error that is expected for that case, let the\n" " user know. */\n" "\\&\n" " if (errno != ENOENT)\n" " fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n" " strerror(errno));\n" " return;\n" " }\n" "\\&\n" " if (write(fd, str, strlen(str)) == -1)\n" " fprintf(stderr, \"ERROR: write %s: %s\\en\", setgroups_path,\n" " strerror(errno));\n" "\\&\n" " close(fd);\n" "}\n" "\\&\n" "static int /* Start function for cloned child */\n" "childFunc(void *arg)\n" "{\n" " struct child_args *args = arg;\n" " char ch;\n" "\\&\n" " /* Wait until the parent has updated the UID and GID mappings.\n" " See the comment in main(). We wait for end of file on a\n" " pipe that will be closed by the parent process once it has\n" " updated the mappings. */\n" "\\&\n" " close(args-Epipe_fd[1]); /* Close our descriptor for the write\n" " end of the pipe so that we see EOF\n" " when parent closes its descriptor. */\n" " if (read(args-Epipe_fd[0], &ch, 1) != 0) {\n" " fprintf(stderr,\n" " \"Failure in child: read from pipe returned != 0\\en\");\n" " exit(EXIT_FAILURE);\n" " }\n" "\\&\n" " close(args-Epipe_fd[0]);\n" "\\&\n" " /* Execute a shell command. */\n" "\\&\n" " printf(\"About to exec %s\\en\", args-Eargv[0]);\n" " execvp(args-Eargv[0], args-Eargv);\n" " err(EXIT_FAILURE, \"execvp\");\n" "}\n" "\\&\n" "#define STACK_SIZE (1024 * 1024)\n" "\\&\n" "static char child_stack[STACK_SIZE]; /* Space for child\\[aq]s stack */\n" "\\&\n" "int\n" "main(int argc, char *argv[])\n" "{\n" " int flags, opt, map_zero;\n" " pid_t child_pid;\n" " struct child_args args;\n" " char *uid_map, *gid_map;\n" " const int MAP_BUF_SIZE = 100;\n" " char map_buf[MAP_BUF_SIZE];\n" " char map_path[PATH_MAX];\n" "\\&\n" " /* Parse command-line options. The initial \\[aq]+\\[aq] character in\n" " the final getopt() argument prevents GNU-style permutation\n" " of command-line options. That\\[aq]s useful, since sometimes\n" " the \\[aq]command\\[aq] to be executed by this program itself\n" " has command-line options. We don\\[aq]t want getopt() to treat\n" " those as options to this program. */\n" "\\&\n" " flags = 0;\n" " verbose = 0;\n" " gid_map = NULL;\n" " uid_map = NULL;\n" " map_zero = 0;\n" " while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n" " switch (opt) {\n" " case \\[aq]i\\[aq]: flags |= CLONE_NEWIPC; break;\n" " case \\[aq]m\\[aq]: flags |= CLONE_NEWNS; break;\n" " case \\[aq]n\\[aq]: flags |= CLONE_NEWNET; break;\n" " case \\[aq]p\\[aq]: flags |= CLONE_NEWPID; break;\n" " case \\[aq]u\\[aq]: flags |= CLONE_NEWUTS; break;\n" " case \\[aq]v\\[aq]: verbose = 1; break;\n" " case \\[aq]z\\[aq]: map_zero = 1; break;\n" " case \\[aq]M\\[aq]: uid_map = optarg; break;\n" " case \\[aq]G\\[aq]: gid_map = optarg; break;\n" " case \\[aq]U\\[aq]: flags |= CLONE_NEWUSER; break;\n" " default: usage(argv[0]);\n" " }\n" " }\n" "\\&\n" " /* -M or -G without -U is nonsensical */\n" "\\&\n" " if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n" " !(flags & CLONE_NEWUSER)) ||\n" " (map_zero && (uid_map != NULL || gid_map != NULL)))\n" " usage(argv[0]);\n" "\\&\n" " args.argv = &argv[optind];\n" "\\&\n" " /* We use a pipe to synchronize the parent and child, in order to\n" " ensure that the parent sets the UID and GID maps before the child\n" " calls execve(). This ensures that the child maintains its\n" " capabilities during the execve() in the common case where we\n" " want to map the child\\[aq]s effective user ID to 0 in the new user\n" " namespace. Without this synchronization, the child would lose\n" " its capabilities if it performed an execve() with nonzero\n" " user IDs (see the capabilities(7) man page for details of the\n" " transformation of a process\\[aq]s capabilities during execve()). */\n" "\\&\n" " if (pipe(args.pipe_fd) == -1)\n" " err(EXIT_FAILURE, \"pipe\");\n" "\\&\n" " /* Create the child in new namespace(s). */\n" "\\&\n" " child_pid = clone(childFunc, child_stack + STACK_SIZE,\n" " flags | SIGCHLD, &args);\n" " if (child_pid == -1)\n" " err(EXIT_FAILURE, \"clone\");\n" "\\&\n" " /* Parent falls through to here. */\n" "\\&\n" " if (verbose)\n" " printf(\"%s: PID of child created by clone() is %jd\\en\",\n" " argv[0], (intmax_t) child_pid);\n" "\\&\n" " /* Update the UID and GID maps in the child. */\n" "\\&\n" " if (uid_map != NULL || map_zero) {\n" " snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n" " (intmax_t) child_pid);\n" " if (map_zero) {\n" " snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n" " (intmax_t) getuid());\n" " uid_map = map_buf;\n" " }\n" " update_map(uid_map, map_path);\n" " }\n" "\\&\n" " if (gid_map != NULL || map_zero) {\n" " proc_setgroups_write(child_pid, \"deny\");\n" "\\&\n" " snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n" " (intmax_t) child_pid);\n" " if (map_zero) {\n" " snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n" " (intmax_t) getgid());\n" " gid_map = map_buf;\n" " }\n" " update_map(gid_map, map_path);\n" " }\n" "\\&\n" " /* Close the write end of the pipe, to signal to the child that we\n" " have updated the UID and GID maps. */\n" "\\&\n" " close(args.pipe_fd[1]);\n" "\\&\n" " if (waitpid(child_pid, NULL, 0) == -1) /* Wait for child */\n" " err(EXIT_FAILURE, \"waitpid\");\n" "\\&\n" " if (verbose)\n" " printf(\"%s: terminating\\en\", argv[0]);\n" "\\&\n" " exit(EXIT_SUCCESS);\n" "}\n" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "SEE ALSO" msgstr "" #. From the shadow package #. From the shadow package #. From the shadow package #. From the shadow package #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "B(1), B(1), B(2), B(2), B(2), " "B(2), B(5), B(5), B(5), B(7), " "B(7), B(7), B(7), " "B(7)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The kernel source file I." msgstr "" #. type: TH #: debian-bookworm #, no-wrap msgid "2023-02-05" msgstr "" #. type: TH #: debian-bookworm #, no-wrap msgid "Linux man-pages 6.03" msgstr "" #. type: SS #: debian-bookworm #, no-wrap msgid "The /proc/I/setgroups file" msgstr "" #. type: Plain text #: debian-bookworm msgid "Namespaces are a Linux-specific feature." msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "/* userns_child_exec.c\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " Licensed under GNU General Public License v2 or later\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " Create a child process that executes a shell command in new\n" " namespace(s); allow UID and GID mappings to be specified when\n" " creating a user namespace.\n" "*/\n" "#define _GNU_SOURCE\n" "#include Eerr.hE\n" "#include Esched.hE\n" "#include Eunistd.hE\n" "#include Estdint.hE\n" "#include Estdlib.hE\n" "#include Esys/wait.hE\n" "#include Esignal.hE\n" "#include Efcntl.hE\n" "#include Estdio.hE\n" "#include Estring.hE\n" "#include Elimits.hE\n" "#include Eerrno.hE\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "struct child_args {\n" " char **argv; /* Command to be executed by child, with args */\n" " int pipe_fd[2]; /* Pipe used to synchronize parent and child */\n" "};\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "static int verbose;\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "static void\n" "usage(char *pname)\n" "{\n" " fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n" " fprintf(stderr, \"Create a child process that executes a shell \"\n" " \"command in a new user namespace,\\en\"\n" " \"and possibly also other new namespace(s).\\en\\en\");\n" " fprintf(stderr, \"Options can be:\\en\\en\");\n" "#define fpe(str) fprintf(stderr, \" %s\", str);\n" " fpe(\"-i New IPC namespace\\en\");\n" " fpe(\"-m New mount namespace\\en\");\n" " fpe(\"-n New network namespace\\en\");\n" " fpe(\"-p New PID namespace\\en\");\n" " fpe(\"-u New UTS namespace\\en\");\n" " fpe(\"-U New user namespace\\en\");\n" " fpe(\"-M uid_map Specify UID map for user namespace\\en\");\n" " fpe(\"-G gid_map Specify GID map for user namespace\\en\");\n" " fpe(\"-z Map user\\[aq]s UID and GID to 0 in user namespace\\en\");\n" " fpe(\" (equivalent to: -M \\[aq]0 EuidE 1\\[aq] -G \\[aq]0 EgidE 1\\[aq])\\en\");\n" " fpe(\"-v Display verbose messages\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n" " fpe(\"It is not permitted to specify both -z and either -M or -G.\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"Map strings for -M and -G consist of records of the form:\\en\");\n" " fpe(\"\\en\");\n" " fpe(\" ID-inside-ns ID-outside-ns len\\en\");\n" " fpe(\"\\en\");\n" " fpe(\"A map string can contain multiple records, separated\"\n" " \" by commas;\\en\");\n" " fpe(\"the commas are replaced by newlines before writing\"\n" " \" to map files.\\en\");\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " exit(EXIT_FAILURE);\n" "}\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "/* Update the mapping file \\[aq]map_file\\[aq], with the value provided in\n" " \\[aq]mapping\\[aq], a string that defines a UID or GID mapping. A UID or\n" " GID mapping consists of one or more newline-delimited records\n" " of the form:\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " ID_inside-ns ID-outside-ns length\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " Requiring the user to supply a string that contains newlines is\n" " of course inconvenient for command-line use. Thus, we permit the\n" " use of commas to delimit records in this string, and replace them\n" " with newlines before writing the string to the file. */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "static void\n" "update_map(char *mapping, char *map_file)\n" "{\n" " int fd;\n" " size_t map_len; /* Length of \\[aq]mapping\\[aq] */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " /* Replace commas in mapping string with newlines. */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " map_len = strlen(mapping);\n" " for (size_t j = 0; j E map_len; j++)\n" " if (mapping[j] == \\[aq],\\[aq])\n" " mapping[j] = \\[aq]\\en\\[aq];\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " fd = open(map_file, O_RDWR);\n" " if (fd == -1) {\n" " fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n" " strerror(errno));\n" " exit(EXIT_FAILURE);\n" " }\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (write(fd, mapping, map_len) != map_len) {\n" " fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n" " strerror(errno));\n" " exit(EXIT_FAILURE);\n" " }\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " close(fd);\n" "}\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "/* Linux 3.19 made a change in the handling of setgroups(2) and the\n" " \\[aq]gid_map\\[aq] file to address a security issue. The issue allowed\n" " *unprivileged* users to employ user namespaces in order to drop groups.\n" " The upshot of the 3.19 changes is that in order to update the\n" " \\[aq]gid_maps\\[aq] file, use of the setgroups() system call in this\n" " user namespace must first be disabled by writing \"deny\" to one of\n" " the /proc/PID/setgroups files for this namespace. That is the\n" " purpose of the following function. */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "static void\n" "proc_setgroups_write(pid_t child_pid, char *str)\n" "{\n" " char setgroups_path[PATH_MAX];\n" " int fd;\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n" " (intmax_t) child_pid);\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " fd = open(setgroups_path, O_RDWR);\n" " if (fd == -1) {\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " /* We may be on a system that doesn\\[aq]t support\n" " /proc/PID/setgroups. In that case, the file won\\[aq]t exist,\n" " and the system won\\[aq]t impose the restrictions that Linux 3.19\n" " added. That\\[aq]s fine: we don\\[aq]t need to do anything in order\n" " to permit \\[aq]gid_map\\[aq] to be updated.\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " However, if the error from open() was something other than\n" " the ENOENT error that is expected for that case, let the\n" " user know. */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (errno != ENOENT)\n" " fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n" " strerror(errno));\n" " return;\n" " }\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (write(fd, str, strlen(str)) == -1)\n" " fprintf(stderr, \"ERROR: write %s: %s\\en\", setgroups_path,\n" " strerror(errno));\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "static int /* Start function for cloned child */\n" "childFunc(void *arg)\n" "{\n" " struct child_args *args = arg;\n" " char ch;\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " /* Wait until the parent has updated the UID and GID mappings.\n" " See the comment in main(). We wait for end of file on a\n" " pipe that will be closed by the parent process once it has\n" " updated the mappings. */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " close(args-Epipe_fd[1]); /* Close our descriptor for the write\n" " end of the pipe so that we see EOF\n" " when parent closes its descriptor. */\n" " if (read(args-Epipe_fd[0], &ch, 1) != 0) {\n" " fprintf(stderr,\n" " \"Failure in child: read from pipe returned != 0\\en\");\n" " exit(EXIT_FAILURE);\n" " }\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " close(args-Epipe_fd[0]);\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " /* Execute a shell command. */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " printf(\"About to exec %s\\en\", args-Eargv[0]);\n" " execvp(args-Eargv[0], args-Eargv);\n" " err(EXIT_FAILURE, \"execvp\");\n" "}\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "#define STACK_SIZE (1024 * 1024)\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "static char child_stack[STACK_SIZE]; /* Space for child\\[aq]s stack */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" "int\n" "main(int argc, char *argv[])\n" "{\n" " int flags, opt, map_zero;\n" " pid_t child_pid;\n" " struct child_args args;\n" " char *uid_map, *gid_map;\n" " const int MAP_BUF_SIZE = 100;\n" " char map_buf[MAP_BUF_SIZE];\n" " char map_path[PATH_MAX];\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " /* Parse command-line options. The initial \\[aq]+\\[aq] character in\n" " the final getopt() argument prevents GNU-style permutation\n" " of command-line options. That\\[aq]s useful, since sometimes\n" " the \\[aq]command\\[aq] to be executed by this program itself\n" " has command-line options. We don\\[aq]t want getopt() to treat\n" " those as options to this program. */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " flags = 0;\n" " verbose = 0;\n" " gid_map = NULL;\n" " uid_map = NULL;\n" " map_zero = 0;\n" " while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n" " switch (opt) {\n" " case \\[aq]i\\[aq]: flags |= CLONE_NEWIPC; break;\n" " case \\[aq]m\\[aq]: flags |= CLONE_NEWNS; break;\n" " case \\[aq]n\\[aq]: flags |= CLONE_NEWNET; break;\n" " case \\[aq]p\\[aq]: flags |= CLONE_NEWPID; break;\n" " case \\[aq]u\\[aq]: flags |= CLONE_NEWUTS; break;\n" " case \\[aq]v\\[aq]: verbose = 1; break;\n" " case \\[aq]z\\[aq]: map_zero = 1; break;\n" " case \\[aq]M\\[aq]: uid_map = optarg; break;\n" " case \\[aq]G\\[aq]: gid_map = optarg; break;\n" " case \\[aq]U\\[aq]: flags |= CLONE_NEWUSER; break;\n" " default: usage(argv[0]);\n" " }\n" " }\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " /* -M or -G without -U is nonsensical */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n" " !(flags & CLONE_NEWUSER)) ||\n" " (map_zero && (uid_map != NULL || gid_map != NULL)))\n" " usage(argv[0]);\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " args.argv = &argv[optind];\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " /* We use a pipe to synchronize the parent and child, in order to\n" " ensure that the parent sets the UID and GID maps before the child\n" " calls execve(). This ensures that the child maintains its\n" " capabilities during the execve() in the common case where we\n" " want to map the child\\[aq]s effective user ID to 0 in the new user\n" " namespace. Without this synchronization, the child would lose\n" " its capabilities if it performed an execve() with nonzero\n" " user IDs (see the capabilities(7) man page for details of the\n" " transformation of a process\\[aq]s capabilities during execve()). */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (pipe(args.pipe_fd) == -1)\n" " err(EXIT_FAILURE, \"pipe\");\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " /* Create the child in new namespace(s). */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " child_pid = clone(childFunc, child_stack + STACK_SIZE,\n" " flags | SIGCHLD, &args);\n" " if (child_pid == -1)\n" " err(EXIT_FAILURE, \"clone\");\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " /* Parent falls through to here. */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (verbose)\n" " printf(\"%s: PID of child created by clone() is %jd\\en\",\n" " argv[0], (intmax_t) child_pid);\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " /* Update the UID and GID maps in the child. */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (uid_map != NULL || map_zero) {\n" " snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n" " (intmax_t) child_pid);\n" " if (map_zero) {\n" " snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n" " (intmax_t) getuid());\n" " uid_map = map_buf;\n" " }\n" " update_map(uid_map, map_path);\n" " }\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (gid_map != NULL || map_zero) {\n" " proc_setgroups_write(child_pid, \"deny\");\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n" " (intmax_t) child_pid);\n" " if (map_zero) {\n" " snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n" " (intmax_t) getgid());\n" " gid_map = map_buf;\n" " }\n" " update_map(gid_map, map_path);\n" " }\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " /* Close the write end of the pipe, to signal to the child that we\n" " have updated the UID and GID maps. */\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid " close(args.pipe_fd[1]);\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (waitpid(child_pid, NULL, 0) == -1) /* Wait for child */\n" " err(EXIT_FAILURE, \"waitpid\");\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " if (verbose)\n" " printf(\"%s: terminating\\en\", argv[0]);\n" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 #, no-wrap msgid "" " exit(EXIT_SUCCESS);\n" "}\n" msgstr "" #. type: TH #: debian-unstable opensuse-tumbleweed #, no-wrap msgid "2023-05-03" msgstr "" #. type: TH #: debian-unstable opensuse-tumbleweed #, no-wrap msgid "Linux man-pages 6.05.01" msgstr "" #. type: TH #: opensuse-leap-15-6 #, no-wrap msgid "2023-04-01" msgstr "" #. type: TH #: opensuse-leap-15-6 #, no-wrap msgid "Linux man-pages 6.04" msgstr ""