path: root/po/es/man7/user_namespaces.7.po

# Spanish translation of manpages
# This file is distributed under the same license as the manpages-l10n package.
# Copyright © of this file:
msgid ""
msgstr ""
"Project-Id-Version: manpages-l10n 4.11.0\n"
"POT-Creation-Date: 2024-03-01 17:13+0100\n"
"PO-Revision-Date: 2021-09-10 15:40+0200\n"
"Last-Translator: Automatically generated\n"
"Language-Team: Spanish <debian-l10n-spanish@lists.debian.org>\n"
"Language: es\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"

#. type: TH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "user_namespaces"
msgstr ""

#. type: TH
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "2023-10-31"
msgstr "31 Octubre 2023"

#. type: TH
#: archlinux fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "Linux man-pages 6.06"
msgstr "Páginas de manual de Linux 6.06"

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "NAME"
msgstr "NOMBRE"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "user_namespaces - overview of Linux user namespaces"
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "DESCRIPTION"
msgstr "DESCRIPCIÓN"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "For an overview of namespaces, see B<namespaces>(7)."
msgstr ""

#
#.  FIXME: This page says very little about the interaction
#.  of user namespaces and keys. Add something on this topic.
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"User namespaces isolate security-related identifiers and attributes, in "
"particular, user IDs and group IDs (see B<credentials>(7)), the root "
"directory, keys (see B<keyrings>(7)), and capabilities (see "
"B<capabilities>(7)).  A process's user and group IDs can be different inside "
"and outside a user namespace.  In particular, a process can have a normal "
"unprivileged user ID outside a user namespace while at the same time having "
"a user ID of 0 inside the namespace; in other words, the process has full "
"privileges for operations inside the user namespace, but is unprivileged for "
"operations outside the namespace."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Nested namespaces, namespace membership"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"User namespaces can be nested; that is, each user namespace\\[em]except the "
"initial (\"root\")  namespace\\[em]has a parent user namespace, and can have "
"zero or more child user namespaces.  The parent user namespace is the user "
"namespace of the process that creates the user namespace via a call to "
"B<unshare>(2)  or B<clone>(2)  with the B<CLONE_NEWUSER> flag."
msgstr ""

#.  commit 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
#.  FIXME Explain the rationale for this limit. (What is the rationale?)
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The kernel imposes (since Linux 3.11) a limit of 32 nested levels of user "
"namespaces.  Calls to B<unshare>(2)  or B<clone>(2)  that would cause this "
"limit to be exceeded fail with the error B<EUSERS>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Each process is a member of exactly one user namespace.  A process created "
"via B<fork>(2)  or B<clone>(2)  without the B<CLONE_NEWUSER> flag is a "
"member of the same user namespace as its parent.  A single-threaded process "
"can join another user namespace with B<setns>(2)  if it has the "
"B<CAP_SYS_ADMIN> in that namespace; upon doing so, it gains a full set of "
"capabilities in that namespace."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A call to B<clone>(2)  or B<unshare>(2)  with the B<CLONE_NEWUSER> flag "
"makes the new child process (for B<clone>(2))  or the caller (for "
"B<unshare>(2))  a member of the new user namespace created by the call."
msgstr ""

#
#. #-#-#-#-#  archlinux: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#. #-#-#-#-#  debian-bookworm: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#.  ============================================================
#. type: Plain text
#. #-#-#-#-#  debian-unstable: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#. #-#-#-#-#  fedora-40: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#. #-#-#-#-#  fedora-rawhide: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#. #-#-#-#-#  mageia-cauldron: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#. #-#-#-#-#  opensuse-leap-15-6: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#. #-#-#-#-#  opensuse-tumbleweed: user_namespaces.7.pot (PACKAGE VERSION)  #-#-#-#-#
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<NS_GET_PARENT> B<ioctl>(2)  operation can be used to discover the "
"parental relationship between user namespaces; see B<ioctl_ns>(2)."
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A task that changes one of its effective IDs will have its dumpability reset "
"to the value in I</proc/sys/fs/suid_dumpable>.  This may affect the "
"ownership of proc files of child processes and may thus cause the parent to "
"lack the permissions to write to mapping files of child processes running in "
"a new user namespace.  In such cases making the parent process dumpable, "
"using B<PR_SET_DUMPABLE> in a call to B<prctl>(2), before creating a child "
"process in a new user namespace may rectify this problem.  See B<prctl>(2)  "
"and B<proc>(5)  for details on how ownership is affected."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Capabilities"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The child process created by B<clone>(2)  with the B<CLONE_NEWUSER> flag "
"starts out with a complete set of capabilities in the new user namespace.  "
"Likewise, a process that creates a new user namespace using B<unshare>(2)  "
"or joins an existing user namespace using B<setns>(2)  gains a full set of "
"capabilities in that namespace.  On the other hand, that process has no "
"capabilities in the parent (in the case of B<clone>(2))  or previous (in the "
"case of B<unshare>(2)  and B<setns>(2))  user namespace, even if the new "
"namespace is created or joined by the root user (i.e., a process with user "
"ID 0 in the root namespace)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Note that a call to B<execve>(2)  will cause a process's capabilities to be "
"recalculated in the usual way (see B<capabilities>(7)).  Consequently, "
"unless the process has a user ID of 0 within the namespace, or the "
"executable file has a nonempty inheritable capabilities mask, the process "
"will lose all capabilities.  See the discussion of user and group ID "
"mappings, below."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A call to B<clone>(2)  or B<unshare>(2)  using the B<CLONE_NEWUSER> flag or "
"a call to B<setns>(2)  that moves the caller into another user namespace "
"sets the \"securebits\" flags (see B<capabilities>(7))  to their default "
"values (all flags disabled) in the child (for B<clone>(2))  or caller (for "
"B<unshare>(2)  or B<setns>(2)).  Note that because the caller no longer has "
"capabilities in its original user namespace after a call to B<setns>(2), it "
"is not possible for a process to reset its \"securebits\" flags while "
"retaining its user namespace membership by using a pair of B<setns>(2)  "
"calls to move to another user namespace and then return to its original user "
"namespace."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The rules for determining whether or not a process has a capability in a "
"particular user namespace are as follows:"
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "\\[bu]"
msgstr "\\[bu]"

#.  In the 3.8 sources, see security/commoncap.c::cap_capable():
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A process has a capability inside a user namespace if it is a member of that "
"namespace and it has the capability in its effective capability set.  A "
"process can gain capabilities in its effective capability set in various "
"ways.  For example, it may execute a set-user-ID program or an executable "
"with associated file capabilities.  In addition, a process may gain "
"capabilities via the effect of B<clone>(2), B<unshare>(2), or B<setns>(2), "
"as already described."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If a process has a capability in a user namespace, then it has that "
"capability in all child (and further removed descendant)  namespaces as well."
msgstr ""

#
#.  * The owner of the user namespace in the parent of the
#.  * user namespace has all caps.
#.  (and likewise associates the effective group ID of the creating process
#.  with the namespace).
#.  See kernel commit 520d9eabce18edfef76a60b7b839d54facafe1f9 for a fix
#.  on this point
#.      This includes the case where the process executes a set-user-ID
#.      program that confers the effective UID of the creator of the namespace.
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a user namespace is created, the kernel records the effective user ID "
"of the creating process as being the \"owner\" of the namespace.  A process "
"that resides in the parent of the user namespace and whose effective user ID "
"matches the owner of the namespace has all capabilities in the namespace.  "
"By virtue of the previous rule, this means that the process has all "
"capabilities in all further removed descendant user namespaces as well.  The "
"B<NS_GET_OWNER_UID> B<ioctl>(2)  operation can be used to discover the user "
"ID of the owner of the namespace; see B<ioctl_ns>(2)."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Effect of capabilities within a user namespace"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Having a capability inside a user namespace permits a process to perform "
"operations (that require privilege)  only on resources governed by that "
"namespace.  In other words, having a capability in a user namespace permits "
"a process to perform privileged operations on resources that are governed by "
"(nonuser)  namespaces owned by (associated with) the user namespace (see the "
"next subsection)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"On the other hand, there are many privileged operations that affect "
"resources that are not associated with any namespace type, for example, "
"changing the system (i.e., calendar) time (governed by B<CAP_SYS_TIME>), "
"loading a kernel module (governed by B<CAP_SYS_MODULE>), and creating a "
"device (governed by B<CAP_MKNOD>).  Only a process with privileges in the "
"I<initial> user namespace can perform such operations."
msgstr ""

#.  fs_flags = FS_USERNS_MOUNT in kernel sources
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Holding B<CAP_SYS_ADMIN> within the user namespace that owns a process's "
"mount namespace allows that process to create bind mounts and mount the "
"following types of filesystems:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I</proc> (since Linux 3.8)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I</sys> (since Linux 3.8)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<devpts> (since Linux 3.9)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "B<tmpfs>(5)  (since Linux 3.9)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<ramfs> (since Linux 3.9)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<mqueue> (since Linux 3.9)"
msgstr ""

#.  commit b2197755b2633e164a439682fb05a9b5ea48f706
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<bpf> (since Linux 4.4)"
msgstr ""

#.  commit 92dbc9dedccb9759c7f9f2f0ae6242396376988f
#.  commit 4cb2c00c43b3fe88b32f29df4f76da1b92c33224
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<overlayfs> (since Linux 5.11)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Holding B<CAP_SYS_ADMIN> within the user namespace that owns a process's "
"cgroup namespace allows (since Linux 4.6)  that process to the mount the "
"cgroup version 2 filesystem and cgroup version 1 named hierarchies (i.e., "
"cgroup filesystems mounted with the I<\"none,name=\"> option)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Holding B<CAP_SYS_ADMIN> within the user namespace that owns a process's PID "
"namespace allows (since Linux 3.8)  that process to mount I</proc> "
"filesystems."
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Note, however, that mounting block-based filesystems can be done only by a "
"process that holds B<CAP_SYS_ADMIN> in the initial user namespace."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Interaction of user namespaces and other types of namespaces"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Starting in Linux 3.8, unprivileged processes can create user namespaces, "
"and the other types of namespaces can be created with just the "
"B<CAP_SYS_ADMIN> capability in the caller's user namespace."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a nonuser namespace is created, it is owned by the user namespace in "
"which the creating process was a member at the time of the creation of the "
"namespace.  Privileged operations on resources governed by the nonuser "
"namespace require that the process has the necessary capabilities in the "
"user namespace that owns the nonuser namespace."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If B<CLONE_NEWUSER> is specified along with other B<CLONE_NEW*> flags in a "
"single B<clone>(2)  or B<unshare>(2)  call, the user namespace is guaranteed "
"to be created first, giving the child (B<clone>(2))  or caller "
"(B<unshare>(2))  privileges over the remaining namespaces created by the "
"call.  Thus, it is possible for an unprivileged caller to specify this "
"combination of flags."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a new namespace (other than a user namespace) is created via "
"B<clone>(2)  or B<unshare>(2), the kernel records the user namespace of the "
"creating process as the owner of the new namespace.  (This association can't "
"be changed.)  When a process in the new namespace subsequently performs "
"privileged operations that operate on global resources isolated by the "
"namespace, the permission checks are performed according to the process's "
"capabilities in the user namespace that the kernel associated with the new "
"namespace.  For example, suppose that a process attempts to change the "
"hostname (B<sethostname>(2)), a resource governed by the UTS namespace.  In "
"this case, the kernel will determine which user namespace owns the process's "
"UTS namespace, and check whether the process has the required capability "
"(B<CAP_SYS_ADMIN>)  in that user namespace."
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<NS_GET_USERNS> B<ioctl>(2)  operation can be used to discover the user "
"namespace that owns a nonuser namespace; see B<ioctl_ns>(2)."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "User and group ID mappings: uid_map and gid_map"
msgstr ""

#.  commit 22d917d80e842829d0ca0a561967d728eb1d6303
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a user namespace is created, it starts out without a mapping of user "
"IDs (group IDs)  to the parent user namespace.  The I</proc/>pidI</uid_map> "
"and I</proc/>pidI</gid_map> files (available since Linux 3.5)  expose the "
"mappings for user and group IDs inside the user namespace for the process "
"I<pid>.  These files can be read to view the mappings in a user namespace "
"and written to (once) to define the mappings."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The description in the following paragraphs explains the details for "
"I<uid_map>; I<gid_map> is exactly the same, but each instance of \"user ID\" "
"is replaced by \"group ID\"."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The I<uid_map> file exposes the mapping of user IDs from the user namespace "
"of the process I<pid> to the user namespace of the process that opened "
"I<uid_map> (but see a qualification to this point below).  In other words, "
"processes that are in different user namespaces will potentially see "
"different values when reading from a particular I<uid_map> file, depending "
"on the user ID mappings for the user namespaces of the reading processes."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Each line in the I<uid_map> file specifies a 1-to-1 mapping of a range of "
"contiguous user IDs between two user namespaces.  (When a user namespace is "
"first created, this file is empty.)  The specification in each line takes "
"the form of three numbers delimited by white space.  The first two numbers "
"specify the starting user ID in each of the two user namespaces.  The third "
"number specifies the length of the mapped range.  In detail, the fields are "
"interpreted as follows:"
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(1)"
msgstr "(1)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The start of the range of user IDs in the user namespace of the process "
"I<pid>."
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(2)"
msgstr "(2)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The start of the range of user IDs to which the user IDs specified by field "
"one map.  How field two is interpreted depends on whether the process that "
"opened I<uid_map> and the process I<pid> are in the same user namespace, as "
"follows:"
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(a)"
msgstr "(a)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the two processes are in different user namespaces: field two is the "
"start of a range of user IDs in the user namespace of the process that "
"opened I<uid_map>."
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(b)"
msgstr "(b)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the two processes are in the same user namespace: field two is the start "
"of the range of user IDs in the parent user namespace of the process "
"I<pid>.  This case enables the opener of I<uid_map> (the common case here is "
"opening I</proc/self/uid_map>)  to see the mapping of user IDs into the user "
"namespace of the process that created this user namespace."
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(3)"
msgstr "(3)"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The length of the range of user IDs that is mapped between the two user "
"namespaces."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"System calls that return user IDs (group IDs)\\[em]for example, "
"B<getuid>(2), B<getgid>(2), and the credential fields in the structure "
"returned by B<stat>(2)\\[em]return the user ID (group ID) mapped into the "
"caller's user namespace."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a process accesses a file, its user and group IDs are mapped into the "
"initial user namespace for the purpose of permission checking and assigning "
"IDs when creating a file.  When a process retrieves file user and group IDs "
"via B<stat>(2), the IDs are mapped in the opposite direction, to produce "
"values relative to the process user and group ID mappings."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The initial user namespace has no parent namespace, but, for consistency, "
"the kernel provides dummy user and group ID mapping files for this "
"namespace.  Looking at the I<uid_map> file (I<gid_map> is the same) from a "
"shell in the initial namespace shows:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<cat /proc/$$/uid_map>\n"
"         0          0 4294967295\n"
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This mapping tells us that the range starting at user ID 0 in this namespace "
"maps to a range starting at 0 in the (nonexistent) parent namespace, and the "
"length of the range is the largest 32-bit unsigned integer.  This leaves "
"4294967295 (the 32-bit signed -1 value) unmapped.  This is deliberate: "
"I<(uid_t)\\~-1> is used in several interfaces (e.g., B<setreuid>(2))  as a "
"way to specify \"no user ID\".  Leaving I<(uid_t)\\~-1> unmapped and "
"unusable guarantees that there will be no confusion when using these "
"interfaces."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Defining user and group ID mappings: writing to uid_map and gid_map"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"After the creation of a new user namespace, the I<uid_map> file of I<one> of "
"the processes in the namespace may be written to I<once> to define the "
"mapping of user IDs in the new user namespace.  An attempt to write more "
"than once to a I<uid_map> file in a user namespace fails with the error "
"B<EPERM>.  Similar rules apply for I<gid_map> files."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The lines written to I<uid_map> (I<gid_map>)  must conform to the following "
"validity rules:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The three fields must be valid numbers, and the last field must be greater "
"than 0."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Lines are terminated by newline characters."
msgstr ""

#.  5*12-byte records could fit in a 64B cache line
#.  commit 6397fac4915ab3002dc15aae751455da1a852f25
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"There is a limit on the number of lines in the file.  In Linux 4.14 and "
"earlier, this limit was (arbitrarily)  set at 5 lines.  Since Linux 4.15, "
"the limit is 340 lines.  In addition, the number of bytes written to the "
"file must be less than the system page size, and the write must be performed "
"at the start of the file (i.e., B<lseek>(2)  and B<pwrite>(2)  can't be used "
"to write to nonzero offsets in the file)."
msgstr ""

#.  commit 0bd14b4fd72afd5df41e9fd59f356740f22fceba
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The range of user IDs (group IDs)  specified in each line cannot overlap "
"with the ranges in any other lines.  In the initial implementation (Linux "
"3.8), this requirement was satisfied by a simplistic implementation that "
"imposed the further requirement that the values in both field 1 and field 2 "
"of successive lines must be in ascending numerical order, which prevented "
"some otherwise valid maps from being created.  Linux 3.9 and later fix this "
"limitation, allowing any valid set of nonoverlapping maps."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "At least one line must be written to the file."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Writes that violate the above rules fail with the error B<EINVAL>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In order for a process to write to the I</proc/>pidI</uid_map> (I</proc/"
">pidI</gid_map>)  file, all of the following permission requirements must be "
"met:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The writing process must have the B<CAP_SETUID> (B<CAP_SETGID>)  capability "
"in the user namespace of the process I<pid>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The writing process must either be in the user namespace of the process "
"I<pid> or be in the parent user namespace of the process I<pid>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The mapped user IDs (group IDs) must in turn have a mapping in the parent "
"user namespace."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If updating I</proc/>pidI</uid_map> to create a mapping that maps UID 0 in "
"the parent namespace, then one of the following must be true:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"if writing process is in the parent user namespace, then it must have the "
"B<CAP_SETFCAP> capability in that user namespace; or"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"if the writing process is in the child user namespace, then the process that "
"created the user namespace must have had the B<CAP_SETFCAP> capability when "
"the namespace was created."
msgstr ""

#.  commit db2e718a47984b9d71ed890eb2ea36ecf150de18
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This rule has been in place since Linux 5.12.  It eliminates an earlier "
"security bug whereby a UID 0 process that lacks the B<CAP_SETFCAP> "
"capability, which is needed to create a binary with namespaced file "
"capabilities (as described in B<capabilities>(7)), could nevertheless create "
"such a binary, by the following steps:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Create a new user namespace with the identity mapping (i.e., UID 0 in the "
"new user namespace maps to UID 0 in the parent namespace), so that UID 0 in "
"both namespaces is equivalent to the same root user ID."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Since the child process has the B<CAP_SETFCAP> capability, it could create a "
"binary with namespaced file capabilities that would then be effective in the "
"parent user namespace (because the root user IDs are the same in the two "
"namespaces)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "One of the following two cases applies:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"I<Either> the writing process has the B<CAP_SETUID> (B<CAP_SETGID>)  "
"capability in the I<parent> user namespace."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"No further restrictions apply: the process can make mappings to arbitrary "
"user IDs (group IDs)  in the parent user namespace."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<Or> otherwise all of the following restrictions apply:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The data written to I<uid_map> (I<gid_map>)  must consist of a single line "
"that maps the writing process's effective user ID (group ID) in the parent "
"user namespace to a user ID (group ID)  in the user namespace."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The writing process must have the same effective user ID as the process that "
"created the user namespace."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In the case of I<gid_map>, use of the B<setgroups>(2)  system call must "
"first be denied by writing \\[dq]I<deny>\\[dq] to the I</proc/>pidI</"
"setgroups> file (see below) before writing to I<gid_map>."
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Writes that violate the above rules fail with the error B<EPERM>."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Project ID mappings: projid_map"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Similarly to user and group ID mappings, it is possible to create project ID "
"mappings for a user namespace.  (Project IDs are used for disk quotas; see "
"B<setquota>(8)  and B<quotactl>(2).)"
msgstr ""

#.  commit f76d207a66c3a53defea67e7d36c3eb1b7d6d61d
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Project ID mappings are defined by writing to the I</proc/>pidI</projid_map> "
"file (present since Linux 3.7)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The validity rules for writing to the I</proc/>pidI</projid_map> file are as "
"for writing to the I<uid_map> file; violation of these rules causes "
"B<write>(2)  to fail with the error B<EINVAL>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The permission rules for writing to the I</proc/>pidI</projid_map> file are "
"as follows:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The mapped project IDs must in turn have a mapping in the parent user "
"namespace."
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Violation of these rules causes B<write>(2)  to fail with the error B<EPERM>."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Interaction with system calls that change process UIDs or GIDs"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In a user namespace where the I<uid_map> file has not been written, the "
"system calls that change user IDs will fail.  Similarly, if the I<gid_map> "
"file has not been written, the system calls that change group IDs will "
"fail.  After the I<uid_map> and I<gid_map> files have been written, only the "
"mapped values may be used in system calls that change user and group IDs."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"For user IDs, the relevant system calls include B<setuid>(2), "
"B<setfsuid>(2), B<setreuid>(2), and B<setresuid>(2).  For group IDs, the "
"relevant system calls include B<setgid>(2), B<setfsgid>(2), B<setregid>(2), "
"B<setresgid>(2), and B<setgroups>(2)."
msgstr ""

#
#.  Things changed in Linux 3.19
#.  commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
#.  commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
#.  http://lwn.net/Articles/626665/
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Writing \\[dq]I<deny>\\[dq] to the I</proc/>pidI</setgroups> file before "
"writing to I</proc/>pidI</gid_map> will permanently disable B<setgroups>(2)  "
"in a user namespace and allow writing to I</proc/>pidI</gid_map> without "
"having the B<CAP_SETGID> capability in the parent user namespace."
msgstr ""

#. type: SS
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "The I</proc/>pidI</setgroups> file"
msgstr ""

#
#.  commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
#.  commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
#.  http://lwn.net/Articles/626665/
#.  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8989
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The I</proc/>pidI</setgroups> file displays the string \\[dq]I<allow>\\[dq] "
"if processes in the user namespace that contains the process I<pid> are "
"permitted to employ the B<setgroups>(2)  system call; it displays "
"\\[dq]I<deny>\\[dq] if B<setgroups>(2)  is not permitted in that user "
"namespace.  Note that regardless of the value in the I</proc/>pidI</"
"setgroups> file (and regardless of the process's capabilities), calls to "
"B<setgroups>(2)  are also not permitted if I</proc/>pidI</gid_map> has not "
"yet been set."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A privileged process (one with the B<CAP_SYS_ADMIN> capability in the "
"namespace) may write either of the strings \\[dq]I<allow>\\[dq] or "
"\\[dq]I<deny>\\[dq] to this file I<before> writing a group ID mapping for "
"this user namespace to the file I</proc/>pidI</gid_map>.  Writing the string "
"\\[dq]I<deny>\\[dq] prevents any process in the user namespace from "
"employing B<setgroups>(2)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The essence of the restrictions described in the preceding paragraph is that "
"it is permitted to write to I</proc/>pidI</setgroups> only so long as "
"calling B<setgroups>(2)  is disallowed because I</proc/>pidI</gid_map> has "
"not been set.  This ensures that a process cannot transition from a state "
"where B<setgroups>(2)  is allowed to a state where B<setgroups>(2)  is "
"denied; a process can transition only from B<setgroups>(2)  being disallowed "
"to B<setgroups>(2)  being allowed."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The default value of this file in the initial user namespace is "
"\\[dq]I<allow>\\[dq]."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Once I</proc/>pidI</gid_map> has been written to (which has the effect of "
"enabling B<setgroups>(2)  in the user namespace), it is no longer possible "
"to disallow B<setgroups>(2)  by writing \\[dq]I<deny>\\[dq] to I</proc/"
">pidI</setgroups> (the write fails with the error B<EPERM>)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A child user namespace inherits the I</proc/>pidI</setgroups> setting from "
"its parent."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the I<setgroups> file has the value \\[dq]I<deny>\\[dq], then the "
"B<setgroups>(2)  system call can't subsequently be reenabled (by writing "
"\\[dq]I<allow>\\[dq] to the file) in this user namespace.  (Attempts to do "
"so fail with the error B<EPERM>.)  This restriction also propagates down to "
"all child user namespaces of this user namespace."
msgstr ""

#
#
#
#
#.  /proc/PID/setgroups
#. 	[allow == setgroups() is allowed, "deny" == setgroups() is disallowed]
#. 	* Can write if have CAP_SYS_ADMIN in NS
#. 	* Must write BEFORE writing to /proc/PID/gid_map
#.  setgroups()
#. 	* Must already have written to gid_map
#. 	* /proc/PID/setgroups must be "allow"
#.  /proc/PID/gid_map -- writing
#. 	* Must already have written "deny" to /proc/PID/setgroups
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The I</proc/>pidI</setgroups> file was added in Linux 3.19, but was "
"backported to many earlier stable kernel series, because it addresses a "
"security issue.  The issue concerned files with permissions such as \"rwx---"
"rwx\".  Such files give fewer permissions to \"group\" than they do to "
"\"other\".  This means that dropping groups using B<setgroups>(2)  might "
"allow a process file access that it did not formerly have.  Before the "
"existence of user namespaces this was not a concern, since only a privileged "
"process (one with the B<CAP_SETGID> capability) could call B<setgroups>(2).  "
"However, with the introduction of user namespaces, it became possible for an "
"unprivileged process to create a new namespace in which the user had all "
"privileges.  This then allowed formerly unprivileged users to drop groups "
"and thus gain file access that they did not previously have.  The I</proc/"
">pidI</setgroups> file was added to address this security issue, by denying "
"any pathway for an unprivileged process to drop groups with B<setgroups>(2)."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Unmapped user and group IDs"
msgstr ""

#.  from_kuid_munged(), from_kgid_munged()
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"There are various places where an unmapped user ID (group ID)  may be "
"exposed to user space.  For example, the first process in a new user "
"namespace may call B<getuid>(2)  before a user ID mapping has been defined "
"for the namespace.  In most such cases, an unmapped user ID is converted to "
"the overflow user ID (group ID); the default value for the overflow user ID "
"(group ID) is 65534.  See the descriptions of I</proc/sys/kernel/"
"overflowuid> and I</proc/sys/kernel/overflowgid> in B<proc>(5)."
msgstr ""

#.  also SO_PEERCRED
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The cases where unmapped IDs are mapped in this fashion include system calls "
"that return user IDs (B<getuid>(2), B<getgid>(2), and similar), credentials "
"passed over a UNIX domain socket, credentials returned by B<stat>(2), "
"B<waitid>(2), and the System V IPC \"ctl\" B<IPC_STAT> operations, "
"credentials exposed by I</proc/>pidI</status> and the files in I</proc/"
"sysvipc/*>, credentials returned via the I<si_uid> field in the I<siginfo_t> "
"received with a signal (see B<sigaction>(2)), credentials written to the "
"process accounting file (see B<acct>(5)), and credentials returned with "
"POSIX message queue notifications (see B<mq_notify>(3))."
msgstr ""

#
#.  from_kuid(), from_kgid()
#.  Also F_GETOWNER_UIDS is an exception
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"There is one notable case where unmapped user and group IDs are I<not> "
"converted to the corresponding overflow ID value.  When viewing a I<uid_map> "
"or I<gid_map> file in which there is no mapping for the second field, that "
"field is displayed as 4294967295 (-1 as an unsigned integer)."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Accessing files"
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In order to determine permissions when an unprivileged process accesses a "
"file, the process credentials (UID, GID) and the file credentials are in "
"effect mapped back to what they would be in the initial user namespace and "
"then compared to determine the permissions that the process has on the "
"file.  The same is also true of other objects that employ the credentials "
"plus permissions mask accessibility model, such as System V IPC objects."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Operation of file-related capabilities"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Certain capabilities allow a process to bypass various kernel-enforced "
"restrictions when performing operations on files owned by other users or "
"groups.  These capabilities are: B<CAP_CHOWN>, B<CAP_DAC_OVERRIDE>, "
"B<CAP_DAC_READ_SEARCH>, B<CAP_FOWNER>, and B<CAP_FSETID>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Within a user namespace, these capabilities allow a process to bypass the "
"rules if the process has the relevant capability over the file, meaning that:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"the process has the relevant effective capability in its user namespace; and"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"the file's user ID and group ID both have valid mappings in the user "
"namespace."
msgstr ""

#
#.  These are the checks performed by the kernel function
#.  inode_owner_or_capable(). There is one exception to the exception:
#.  overriding the directory sticky permission bit requires that
#.  the file has a valid mapping for both its UID and GID.
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<CAP_FOWNER> capability is treated somewhat exceptionally: it allows a "
"process to bypass the corresponding rules so long as at least the file's "
"user ID has a mapping in the user namespace (i.e., the file's group ID does "
"not need to have a valid mapping)."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Set-user-ID and set-group-ID programs"
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a process inside a user namespace executes a set-user-ID (set-group-ID) "
"program, the process's effective user (group) ID inside the namespace is "
"changed to whatever value is mapped for the user (group) ID of the file.  "
"However, if either the user I<or> the group ID of the file has no mapping "
"inside the namespace, the set-user-ID (set-group-ID) bit is silently "
"ignored: the new program is executed, but the process's effective user "
"(group) ID is left unchanged.  (This mirrors the semantics of executing a "
"set-user-ID or set-group-ID program that resides on a filesystem that was "
"mounted with the B<MS_NOSUID> flag, as described in B<mount>(2).)"
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Miscellaneous"
msgstr "Varios"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a process's user and group IDs are passed over a UNIX domain socket to "
"a process in a different user namespace (see the description of "
"B<SCM_CREDENTIALS> in B<unix>(7)), they are translated into the "
"corresponding values as per the receiving process's user and group ID "
"mappings."
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "STANDARDS"
msgstr "ESTÁNDARES"

#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-leap-15-6 opensuse-tumbleweed
msgid "Linux."
msgstr "Linux."

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "NOTES"
msgstr "NOTAS"

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Over the years, there have been a lot of features that have been added to "
"the Linux kernel that have been made available only to privileged users "
"because of their potential to confuse set-user-ID-root applications.  In "
"general, it becomes safe to allow the root user in a user namespace to use "
"those features because it is impossible, while in a user namespace, to gain "
"more privilege than the root user of a user namespace has."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Global root"
msgstr ""

#
#.  ============================================================
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The term \"global root\" is sometimes used as a shorthand for user ID 0 in "
"the initial user namespace."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Availability"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Use of user namespaces requires a kernel that is configured with the "
"B<CONFIG_USER_NS> option.  User namespaces require support in a range of "
"subsystems across the kernel.  When an unsupported subsystem is configured "
"into the kernel, it is not possible to configure user namespaces support."
msgstr ""

#.  commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"As at Linux 3.8, most relevant subsystems supported user namespaces, but a "
"number of filesystems did not have the infrastructure needed to map user and "
"group IDs between user namespaces.  Linux 3.9 added the required "
"infrastructure support for many of the remaining unsupported filesystems "
"(Plan 9 (9P), Andrew File System (AFS), Ceph, CIFS, CODA, NFS, and OCFS2).  "
"Linux 3.12 added support for the last of the unsupported major filesystems, "
"XFS."
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "EXAMPLES"
msgstr "EJEMPLOS"

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The program below is designed to allow experimenting with user namespaces, "
"as well as other types of namespaces.  It creates namespaces as specified by "
"command-line options and then executes a command inside those namespaces.  "
"The comments and I<usage>()  function inside the program provide a full "
"explanation of the program.  The following shell session demonstrates its "
"use."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "First, we look at the run-time environment:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<uname -rs>     # Need Linux 3.8 or later\n"
"Linux 3.8.0\n"
"$ B<id -u>         # Running as unprivileged user\n"
"1000\n"
"$ B<id -g>\n"
"1000\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Now start a new shell in new user (I<-U>), mount (I<-m>), and PID (I<-p>)  "
"namespaces, with user ID (I<-M>)  and group ID (I<-G>)  1000 mapped to 0 "
"inside the user namespace:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "$ B<./userns_child_exec -p -m -U -M \\[aq]0 1000 1\\[aq] -G \\[aq]0 1000 1\\[aq] bash>\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The shell has PID 1, because it is the first process in the new PID "
"namespace:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"bash$ B<echo $$>\n"
"1\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Mounting a new I</proc> filesystem and listing all of the processes visible "
"in the new PID namespace shows that the shell can't see any processes "
"outside the PID namespace:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"bash$ B<mount -t proc proc /proc>\n"
"bash$ B<ps ax>\n"
"  PID TTY      STAT   TIME COMMAND\n"
"    1 pts/3    S      0:00 bash\n"
"   22 pts/3    R+     0:00 ps ax\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Inside the user namespace, the shell has user and group ID 0, and a full set "
"of permitted and effective capabilities:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"bash$ B<cat /proc/$$/status | egrep \\[aq]\\[ha][UG]id\\[aq]>\n"
"Uid:\t0\t0\t0\t0\n"
"Gid:\t0\t0\t0\t0\n"
"bash$ B<cat /proc/$$/status | egrep \\[aq]\\[ha]Cap(Prm|Inh|Eff)\\[aq]>\n"
"CapInh:\t0000000000000000\n"
"CapPrm:\t0000001fffffffff\n"
"CapEff:\t0000001fffffffff\n"
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Program source"
msgstr "Código fuente"

#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-tumbleweed
#, no-wrap
msgid ""
"/* userns_child_exec.c\n"
"\\&\n"
"   Licensed under GNU General Public License v2 or later\n"
"\\&\n"
"   Create a child process that executes a shell command in new\n"
"   namespace(s); allow UID and GID mappings to be specified when\n"
"   creating a user namespace.\n"
"*/\n"
"#define _GNU_SOURCE\n"
"#include E<lt>err.hE<gt>\n"
"#include E<lt>sched.hE<gt>\n"
"#include E<lt>unistd.hE<gt>\n"
"#include E<lt>stdint.hE<gt>\n"
"#include E<lt>stdlib.hE<gt>\n"
"#include E<lt>sys/wait.hE<gt>\n"
"#include E<lt>signal.hE<gt>\n"
"#include E<lt>fcntl.hE<gt>\n"
"#include E<lt>stdio.hE<gt>\n"
"#include E<lt>string.hE<gt>\n"
"#include E<lt>limits.hE<gt>\n"
"#include E<lt>errno.hE<gt>\n"
"\\&\n"
"struct child_args {\n"
"    char **argv;        /* Command to be executed by child, with args */\n"
"    int    pipe_fd[2];  /* Pipe used to synchronize parent and child */\n"
"};\n"
"\\&\n"
"static int verbose;\n"
"\\&\n"
"static void\n"
"usage(char *pname)\n"
"{\n"
"    fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n"
"    fprintf(stderr, \"Create a child process that executes a shell \"\n"
"            \"command in a new user namespace,\\en\"\n"
"            \"and possibly also other new namespace(s).\\en\\en\");\n"
"    fprintf(stderr, \"Options can be:\\en\\en\");\n"
"#define fpe(str) fprintf(stderr, \"    %s\", str);\n"
"    fpe(\"-i          New IPC namespace\\en\");\n"
"    fpe(\"-m          New mount namespace\\en\");\n"
"    fpe(\"-n          New network namespace\\en\");\n"
"    fpe(\"-p          New PID namespace\\en\");\n"
"    fpe(\"-u          New UTS namespace\\en\");\n"
"    fpe(\"-U          New user namespace\\en\");\n"
"    fpe(\"-M uid_map  Specify UID map for user namespace\\en\");\n"
"    fpe(\"-G gid_map  Specify GID map for user namespace\\en\");\n"
"    fpe(\"-z          Map user\\[aq]s UID and GID to 0 in user namespace\\en\");\n"
"    fpe(\"            (equivalent to: -M \\[aq]0 E<lt>uidE<gt> 1\\[aq] -G \\[aq]0 E<lt>gidE<gt> 1\\[aq])\\en\");\n"
"    fpe(\"-v          Display verbose messages\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n"
"    fpe(\"It is not permitted to specify both -z and either -M or -G.\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"Map strings for -M and -G consist of records of the form:\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"    ID-inside-ns   ID-outside-ns   len\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"A map string can contain multiple records, separated\"\n"
"        \" by commas;\\en\");\n"
"    fpe(\"the commas are replaced by newlines before writing\"\n"
"        \" to map files.\\en\");\n"
"\\&\n"
"    exit(EXIT_FAILURE);\n"
"}\n"
"\\&\n"
"/* Update the mapping file \\[aq]map_file\\[aq], with the value provided in\n"
"   \\[aq]mapping\\[aq], a string that defines a UID or GID mapping. A UID or\n"
"   GID mapping consists of one or more newline-delimited records\n"
"   of the form:\n"
"\\&\n"
"       ID_inside-ns    ID-outside-ns   length\n"
"\\&\n"
"   Requiring the user to supply a string that contains newlines is\n"
"   of course inconvenient for command-line use. Thus, we permit the\n"
"   use of commas to delimit records in this string, and replace them\n"
"   with newlines before writing the string to the file. */\n"
"\\&\n"
"static void\n"
"update_map(char *mapping, char *map_file)\n"
"{\n"
"    int fd;\n"
"    size_t map_len;     /* Length of \\[aq]mapping\\[aq] */\n"
"\\&\n"
"    /* Replace commas in mapping string with newlines. */\n"
"\\&\n"
"    map_len = strlen(mapping);\n"
"    for (size_t j = 0; j E<lt> map_len; j++)\n"
"        if (mapping[j] == \\[aq],\\[aq])\n"
"            mapping[j] = \\[aq]\\en\\[aq];\n"
"\\&\n"
"    fd = open(map_file, O_RDWR);\n"
"    if (fd == -1) {\n"
"        fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n"
"                strerror(errno));\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
"\\&\n"
"    if (write(fd, mapping, map_len) != map_len) {\n"
"        fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n"
"                strerror(errno));\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
"\\&\n"
"    close(fd);\n"
"}\n"
"\\&\n"
"/* Linux 3.19 made a change in the handling of setgroups(2) and\n"
"   the \\[aq]gid_map\\[aq] file to address a security issue.  The issue\n"
"   allowed *unprivileged* users to employ user namespaces in\n"
"   order to drop groups.  The upshot of the 3.19 changes is that\n"
"   in order to update the \\[aq]gid_maps\\[aq] file, use of the setgroups()\n"
"   system call in this user namespace must first be disabled by\n"
"   writing \"deny\" to one of the /proc/PID/setgroups files for\n"
"   this namespace.  That is the purpose of the following function.  */\n"
"\\&\n"
"static void\n"
"proc_setgroups_write(pid_t child_pid, char *str)\n"
"{\n"
"    char setgroups_path[PATH_MAX];\n"
"    int fd;\n"
"\\&\n"
"    snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n"
"            (intmax_t) child_pid);\n"
"\\&\n"
"    fd = open(setgroups_path, O_RDWR);\n"
"    if (fd == -1) {\n"
"\\&\n"
"        /* We may be on a system that doesn\\[aq]t support\n"
"           /proc/PID/setgroups. In that case, the file won\\[aq]t exist,\n"
"           and the system won\\[aq]t impose the restrictions that Linux 3.19\n"
"           added. That\\[aq]s fine: we don\\[aq]t need to do anything in order\n"
"           to permit \\[aq]gid_map\\[aq] to be updated.\n"
"\\&\n"
"           However, if the error from open() was something other than\n"
"           the ENOENT error that is expected for that case,  let the\n"
"           user know. */\n"
"\\&\n"
"        if (errno != ENOENT)\n"
"            fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n"
"                strerror(errno));\n"
"        return;\n"
"    }\n"
"\\&\n"
"    if (write(fd, str, strlen(str)) == -1)\n"
"        fprintf(stderr, \"ERROR: write %s: %s\\en\", setgroups_path,\n"
"            strerror(errno));\n"
"\\&\n"
"    close(fd);\n"
"}\n"
"\\&\n"
"static int              /* Start function for cloned child */\n"
"childFunc(void *arg)\n"
"{\n"
"    struct child_args *args = arg;\n"
"    char ch;\n"
"\\&\n"
"    /* Wait until the parent has updated the UID and GID mappings.\n"
"       See the comment in main(). We wait for end of file on a\n"
"       pipe that will be closed by the parent process once it has\n"
"       updated the mappings. */\n"
"\\&\n"
"    close(args-E<gt>pipe_fd[1]);    /* Close our descriptor for the write\n"
"                                   end of the pipe so that we see EOF\n"
"                                   when parent closes its descriptor. */\n"
"    if (read(args-E<gt>pipe_fd[0], &ch, 1) != 0) {\n"
"        fprintf(stderr,\n"
"                \"Failure in child: read from pipe returned != 0\\en\");\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
"\\&\n"
"    close(args-E<gt>pipe_fd[0]);\n"
"\\&\n"
"    /* Execute a shell command. */\n"
"\\&\n"
"    printf(\"About to exec %s\\en\", args-E<gt>argv[0]);\n"
"    execvp(args-E<gt>argv[0], args-E<gt>argv);\n"
"    err(EXIT_FAILURE, \"execvp\");\n"
"}\n"
"\\&\n"
"#define STACK_SIZE (1024 * 1024)\n"
"\\&\n"
"static char child_stack[STACK_SIZE];    /* Space for child\\[aq]s stack */\n"
"\\&\n"
"int\n"
"main(int argc, char *argv[])\n"
"{\n"
"    int flags, opt, map_zero;\n"
"    pid_t child_pid;\n"
"    struct child_args args;\n"
"    char *uid_map, *gid_map;\n"
"    const int MAP_BUF_SIZE = 100;\n"
"    char map_buf[MAP_BUF_SIZE];\n"
"    char map_path[PATH_MAX];\n"
"\\&\n"
"    /* Parse command-line options. The initial \\[aq]+\\[aq] character in\n"
"       the final getopt() argument prevents GNU-style permutation\n"
"       of command-line options. That\\[aq]s useful, since sometimes\n"
"       the \\[aq]command\\[aq] to be executed by this program itself\n"
"       has command-line options. We don\\[aq]t want getopt() to treat\n"
"       those as options to this program. */\n"
"\\&\n"
"    flags = 0;\n"
"    verbose = 0;\n"
"    gid_map = NULL;\n"
"    uid_map = NULL;\n"
"    map_zero = 0;\n"
"    while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n"
"        switch (opt) {\n"
"        case \\[aq]i\\[aq]: flags |= CLONE_NEWIPC;        break;\n"
"        case \\[aq]m\\[aq]: flags |= CLONE_NEWNS;         break;\n"
"        case \\[aq]n\\[aq]: flags |= CLONE_NEWNET;        break;\n"
"        case \\[aq]p\\[aq]: flags |= CLONE_NEWPID;        break;\n"
"        case \\[aq]u\\[aq]: flags |= CLONE_NEWUTS;        break;\n"
"        case \\[aq]v\\[aq]: verbose = 1;                  break;\n"
"        case \\[aq]z\\[aq]: map_zero = 1;                 break;\n"
"        case \\[aq]M\\[aq]: uid_map = optarg;             break;\n"
"        case \\[aq]G\\[aq]: gid_map = optarg;             break;\n"
"        case \\[aq]U\\[aq]: flags |= CLONE_NEWUSER;       break;\n"
"        default:  usage(argv[0]);\n"
"        }\n"
"    }\n"
"\\&\n"
"    /* -M or -G without -U is nonsensical */\n"
"\\&\n"
"    if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n"
"                !(flags & CLONE_NEWUSER)) ||\n"
"            (map_zero && (uid_map != NULL || gid_map != NULL)))\n"
"        usage(argv[0]);\n"
"\\&\n"
"    args.argv = &argv[optind];\n"
"\\&\n"
"    /* We use a pipe to synchronize the parent and child, in order to\n"
"       ensure that the parent sets the UID and GID maps before the child\n"
"       calls execve(). This ensures that the child maintains its\n"
"       capabilities during the execve() in the common case where we\n"
"       want to map the child\\[aq]s effective user ID to 0 in the new user\n"
"       namespace. Without this synchronization, the child would lose\n"
"       its capabilities if it performed an execve() with nonzero\n"
"       user IDs (see the capabilities(7) man page for details of the\n"
"       transformation of a process\\[aq]s capabilities during execve()). */\n"
"\\&\n"
"    if (pipe(args.pipe_fd) == -1)\n"
"        err(EXIT_FAILURE, \"pipe\");\n"
"\\&\n"
"    /* Create the child in new namespace(s). */\n"
"\\&\n"
"    child_pid = clone(childFunc, child_stack + STACK_SIZE,\n"
"                      flags | SIGCHLD, &args);\n"
"    if (child_pid == -1)\n"
"        err(EXIT_FAILURE, \"clone\");\n"
"\\&\n"
"    /* Parent falls through to here. */\n"
"\\&\n"
"    if (verbose)\n"
"        printf(\"%s: PID of child created by clone() is %jd\\en\",\n"
"                argv[0], (intmax_t) child_pid);\n"
"\\&\n"
"    /* Update the UID and GID maps in the child. */\n"
"\\&\n"
"    if (uid_map != NULL || map_zero) {\n"
"        snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n"
"                (intmax_t) child_pid);\n"
"        if (map_zero) {\n"
"            snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n"
"                    (intmax_t) getuid());\n"
"            uid_map = map_buf;\n"
"        }\n"
"        update_map(uid_map, map_path);\n"
"    }\n"
"\\&\n"
"    if (gid_map != NULL || map_zero) {\n"
"        proc_setgroups_write(child_pid, \"deny\");\n"
"\\&\n"
"        snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n"
"                (intmax_t) child_pid);\n"
"        if (map_zero) {\n"
"            snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n"
"                    (intmax_t) getgid());\n"
"            gid_map = map_buf;\n"
"        }\n"
"        update_map(gid_map, map_path);\n"
"    }\n"
"\\&\n"
"    /* Close the write end of the pipe, to signal to the child that we\n"
"       have updated the UID and GID maps. */\n"
"\\&\n"
"    close(args.pipe_fd[1]);\n"
"\\&\n"
"    if (waitpid(child_pid, NULL, 0) == -1)      /* Wait for child */\n"
"        err(EXIT_FAILURE, \"waitpid\");\n"
"\\&\n"
"    if (verbose)\n"
"        printf(\"%s: terminating\\en\", argv[0]);\n"
"\\&\n"
"    exit(EXIT_SUCCESS);\n"
"}\n"
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "SEE ALSO"
msgstr "VÉASE TAMBIÉN"

#.  From the shadow package
#.  From the shadow package
#.  From the shadow package
#.  From the shadow package
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"B<newgidmap>(1), B<newuidmap>(1), B<clone>(2), B<ptrace>(2), B<setns>(2), "
"B<unshare>(2), B<proc>(5), B<subgid>(5), B<subuid>(5), B<capabilities>(7), "
"B<cgroup_namespaces>(7), B<credentials>(7), B<namespaces>(7), "
"B<pid_namespaces>(7)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The kernel source file I<Documentation/admin-guide/namespaces/resource-"
"control.rst>."
msgstr ""

#. type: TH
#: debian-bookworm
#, no-wrap
msgid "2023-02-05"
msgstr "5 Febrero 2023"

#. type: TH
#: debian-bookworm
#, no-wrap
msgid "Linux man-pages 6.03"
msgstr "Páginas de manual de Linux 6.03"

#. type: SS
#: debian-bookworm
#, no-wrap
msgid "The /proc/I<pid>/setgroups file"
msgstr ""

#. type: Plain text
#: debian-bookworm
msgid "Namespaces are a Linux-specific feature."
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "/* userns_child_exec.c\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "   Licensed under GNU General Public License v2 or later\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"   Create a child process that executes a shell command in new\n"
"   namespace(s); allow UID and GID mappings to be specified when\n"
"   creating a user namespace.\n"
"*/\n"
"#define _GNU_SOURCE\n"
"#include E<lt>err.hE<gt>\n"
"#include E<lt>sched.hE<gt>\n"
"#include E<lt>unistd.hE<gt>\n"
"#include E<lt>stdint.hE<gt>\n"
"#include E<lt>stdlib.hE<gt>\n"
"#include E<lt>sys/wait.hE<gt>\n"
"#include E<lt>signal.hE<gt>\n"
"#include E<lt>fcntl.hE<gt>\n"
"#include E<lt>stdio.hE<gt>\n"
"#include E<lt>string.hE<gt>\n"
"#include E<lt>limits.hE<gt>\n"
"#include E<lt>errno.hE<gt>\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"struct child_args {\n"
"    char **argv;        /* Command to be executed by child, with args */\n"
"    int    pipe_fd[2];  /* Pipe used to synchronize parent and child */\n"
"};\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "static int verbose;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static void\n"
"usage(char *pname)\n"
"{\n"
"    fprintf(stderr, \"Usage: %s [options] cmd [arg...]\\en\\en\", pname);\n"
"    fprintf(stderr, \"Create a child process that executes a shell \"\n"
"            \"command in a new user namespace,\\en\"\n"
"            \"and possibly also other new namespace(s).\\en\\en\");\n"
"    fprintf(stderr, \"Options can be:\\en\\en\");\n"
"#define fpe(str) fprintf(stderr, \"    %s\", str);\n"
"    fpe(\"-i          New IPC namespace\\en\");\n"
"    fpe(\"-m          New mount namespace\\en\");\n"
"    fpe(\"-n          New network namespace\\en\");\n"
"    fpe(\"-p          New PID namespace\\en\");\n"
"    fpe(\"-u          New UTS namespace\\en\");\n"
"    fpe(\"-U          New user namespace\\en\");\n"
"    fpe(\"-M uid_map  Specify UID map for user namespace\\en\");\n"
"    fpe(\"-G gid_map  Specify GID map for user namespace\\en\");\n"
"    fpe(\"-z          Map user\\[aq]s UID and GID to 0 in user namespace\\en\");\n"
"    fpe(\"            (equivalent to: -M \\[aq]0 E<lt>uidE<gt> 1\\[aq] -G \\[aq]0 E<lt>gidE<gt> 1\\[aq])\\en\");\n"
"    fpe(\"-v          Display verbose messages\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"If -z, -M, or -G is specified, -U is required.\\en\");\n"
"    fpe(\"It is not permitted to specify both -z and either -M or -G.\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"Map strings for -M and -G consist of records of the form:\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"    ID-inside-ns   ID-outside-ns   len\\en\");\n"
"    fpe(\"\\en\");\n"
"    fpe(\"A map string can contain multiple records, separated\"\n"
"        \" by commas;\\en\");\n"
"    fpe(\"the commas are replaced by newlines before writing\"\n"
"        \" to map files.\\en\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    exit(EXIT_FAILURE);\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"/* Update the mapping file \\[aq]map_file\\[aq], with the value provided in\n"
"   \\[aq]mapping\\[aq], a string that defines a UID or GID mapping. A UID or\n"
"   GID mapping consists of one or more newline-delimited records\n"
"   of the form:\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "       ID_inside-ns    ID-outside-ns   length\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"   Requiring the user to supply a string that contains newlines is\n"
"   of course inconvenient for command-line use. Thus, we permit the\n"
"   use of commas to delimit records in this string, and replace them\n"
"   with newlines before writing the string to the file. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static void\n"
"update_map(char *mapping, char *map_file)\n"
"{\n"
"    int fd;\n"
"    size_t map_len;     /* Length of \\[aq]mapping\\[aq] */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Replace commas in mapping string with newlines. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    map_len = strlen(mapping);\n"
"    for (size_t j = 0; j E<lt> map_len; j++)\n"
"        if (mapping[j] == \\[aq],\\[aq])\n"
"            mapping[j] = \\[aq]\\en\\[aq];\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    fd = open(map_file, O_RDWR);\n"
"    if (fd == -1) {\n"
"        fprintf(stderr, \"ERROR: open %s: %s\\en\", map_file,\n"
"                strerror(errno));\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (write(fd, mapping, map_len) != map_len) {\n"
"        fprintf(stderr, \"ERROR: write %s: %s\\en\", map_file,\n"
"                strerror(errno));\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    close(fd);\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"/* Linux 3.19 made a change in the handling of setgroups(2) and the\n"
"   \\[aq]gid_map\\[aq] file to address a security issue.  The issue allowed\n"
"   *unprivileged* users to employ user namespaces in order to drop groups.\n"
"   The upshot of the 3.19 changes is that in order to update the\n"
"   \\[aq]gid_maps\\[aq] file, use of the setgroups() system call in this\n"
"   user namespace must first be disabled by writing \"deny\" to one of\n"
"   the /proc/PID/setgroups files for this namespace.  That is the\n"
"   purpose of the following function. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static void\n"
"proc_setgroups_write(pid_t child_pid, char *str)\n"
"{\n"
"    char setgroups_path[PATH_MAX];\n"
"    int fd;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    snprintf(setgroups_path, PATH_MAX, \"/proc/%jd/setgroups\",\n"
"            (intmax_t) child_pid);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    fd = open(setgroups_path, O_RDWR);\n"
"    if (fd == -1) {\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        /* We may be on a system that doesn\\[aq]t support\n"
"           /proc/PID/setgroups. In that case, the file won\\[aq]t exist,\n"
"           and the system won\\[aq]t impose the restrictions that Linux 3.19\n"
"           added. That\\[aq]s fine: we don\\[aq]t need to do anything in order\n"
"           to permit \\[aq]gid_map\\[aq] to be updated.\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"           However, if the error from open() was something other than\n"
"           the ENOENT error that is expected for that case,  let the\n"
"           user know. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        if (errno != ENOENT)\n"
"            fprintf(stderr, \"ERROR: open %s: %s\\en\", setgroups_path,\n"
"                strerror(errno));\n"
"        return;\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (write(fd, str, strlen(str)) == -1)\n"
"        fprintf(stderr, \"ERROR: write %s: %s\\en\", setgroups_path,\n"
"            strerror(errno));\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static int              /* Start function for cloned child */\n"
"childFunc(void *arg)\n"
"{\n"
"    struct child_args *args = arg;\n"
"    char ch;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Wait until the parent has updated the UID and GID mappings.\n"
"       See the comment in main(). We wait for end of file on a\n"
"       pipe that will be closed by the parent process once it has\n"
"       updated the mappings. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    close(args-E<gt>pipe_fd[1]);    /* Close our descriptor for the write\n"
"                                   end of the pipe so that we see EOF\n"
"                                   when parent closes its descriptor. */\n"
"    if (read(args-E<gt>pipe_fd[0], &ch, 1) != 0) {\n"
"        fprintf(stderr,\n"
"                \"Failure in child: read from pipe returned != 0\\en\");\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    close(args-E<gt>pipe_fd[0]);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Execute a shell command. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    printf(\"About to exec %s\\en\", args-E<gt>argv[0]);\n"
"    execvp(args-E<gt>argv[0], args-E<gt>argv);\n"
"    err(EXIT_FAILURE, \"execvp\");\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "#define STACK_SIZE (1024 * 1024)\n"
msgstr "#define STACK_SIZE (1024 * 1024)\n"

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "static char child_stack[STACK_SIZE];    /* Space for child\\[aq]s stack */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"int\n"
"main(int argc, char *argv[])\n"
"{\n"
"    int flags, opt, map_zero;\n"
"    pid_t child_pid;\n"
"    struct child_args args;\n"
"    char *uid_map, *gid_map;\n"
"    const int MAP_BUF_SIZE = 100;\n"
"    char map_buf[MAP_BUF_SIZE];\n"
"    char map_path[PATH_MAX];\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Parse command-line options. The initial \\[aq]+\\[aq] character in\n"
"       the final getopt() argument prevents GNU-style permutation\n"
"       of command-line options. That\\[aq]s useful, since sometimes\n"
"       the \\[aq]command\\[aq] to be executed by this program itself\n"
"       has command-line options. We don\\[aq]t want getopt() to treat\n"
"       those as options to this program. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    flags = 0;\n"
"    verbose = 0;\n"
"    gid_map = NULL;\n"
"    uid_map = NULL;\n"
"    map_zero = 0;\n"
"    while ((opt = getopt(argc, argv, \"+imnpuUM:G:zv\")) != -1) {\n"
"        switch (opt) {\n"
"        case \\[aq]i\\[aq]: flags |= CLONE_NEWIPC;        break;\n"
"        case \\[aq]m\\[aq]: flags |= CLONE_NEWNS;         break;\n"
"        case \\[aq]n\\[aq]: flags |= CLONE_NEWNET;        break;\n"
"        case \\[aq]p\\[aq]: flags |= CLONE_NEWPID;        break;\n"
"        case \\[aq]u\\[aq]: flags |= CLONE_NEWUTS;        break;\n"
"        case \\[aq]v\\[aq]: verbose = 1;                  break;\n"
"        case \\[aq]z\\[aq]: map_zero = 1;                 break;\n"
"        case \\[aq]M\\[aq]: uid_map = optarg;             break;\n"
"        case \\[aq]G\\[aq]: gid_map = optarg;             break;\n"
"        case \\[aq]U\\[aq]: flags |= CLONE_NEWUSER;       break;\n"
"        default:  usage(argv[0]);\n"
"        }\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* -M or -G without -U is nonsensical */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (((uid_map != NULL || gid_map != NULL || map_zero) &&\n"
"                !(flags & CLONE_NEWUSER)) ||\n"
"            (map_zero && (uid_map != NULL || gid_map != NULL)))\n"
"        usage(argv[0]);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    args.argv = &argv[optind];\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* We use a pipe to synchronize the parent and child, in order to\n"
"       ensure that the parent sets the UID and GID maps before the child\n"
"       calls execve(). This ensures that the child maintains its\n"
"       capabilities during the execve() in the common case where we\n"
"       want to map the child\\[aq]s effective user ID to 0 in the new user\n"
"       namespace. Without this synchronization, the child would lose\n"
"       its capabilities if it performed an execve() with nonzero\n"
"       user IDs (see the capabilities(7) man page for details of the\n"
"       transformation of a process\\[aq]s capabilities during execve()). */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (pipe(args.pipe_fd) == -1)\n"
"        err(EXIT_FAILURE, \"pipe\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Create the child in new namespace(s). */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    child_pid = clone(childFunc, child_stack + STACK_SIZE,\n"
"                      flags | SIGCHLD, &args);\n"
"    if (child_pid == -1)\n"
"        err(EXIT_FAILURE, \"clone\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Parent falls through to here. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (verbose)\n"
"        printf(\"%s: PID of child created by clone() is %jd\\en\",\n"
"                argv[0], (intmax_t) child_pid);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Update the UID and GID maps in the child. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (uid_map != NULL || map_zero) {\n"
"        snprintf(map_path, PATH_MAX, \"/proc/%jd/uid_map\",\n"
"                (intmax_t) child_pid);\n"
"        if (map_zero) {\n"
"            snprintf(map_buf, MAP_BUF_SIZE, \"0 %jd 1\",\n"
"                    (intmax_t) getuid());\n"
"            uid_map = map_buf;\n"
"        }\n"
"        update_map(uid_map, map_path);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (gid_map != NULL || map_zero) {\n"
"        proc_setgroups_write(child_pid, \"deny\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        snprintf(map_path, PATH_MAX, \"/proc/%jd/gid_map\",\n"
"                (intmax_t) child_pid);\n"
"        if (map_zero) {\n"
"            snprintf(map_buf, MAP_BUF_SIZE, \"0 %ld 1\",\n"
"                    (intmax_t) getgid());\n"
"            gid_map = map_buf;\n"
"        }\n"
"        update_map(gid_map, map_path);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Close the write end of the pipe, to signal to the child that we\n"
"       have updated the UID and GID maps. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    close(args.pipe_fd[1]);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (waitpid(child_pid, NULL, 0) == -1)      /* Wait for child */\n"
"        err(EXIT_FAILURE, \"waitpid\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (verbose)\n"
"        printf(\"%s: terminating\\en\", argv[0]);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    exit(EXIT_SUCCESS);\n"
"}\n"
msgstr ""
"    exit(EXIT_SUCCESS);\n"
"}\n"

#. type: TH
#: debian-unstable opensuse-tumbleweed
#, no-wrap
msgid "2023-05-03"
msgstr "3 Mayo 2023"

#. type: TH
#: debian-unstable opensuse-tumbleweed
#, no-wrap
msgid "Linux man-pages 6.05.01"
msgstr "Páginas de manual de Linux 6.05.01"

#. type: TH
#: opensuse-leap-15-6
#, no-wrap
msgid "2023-04-01"
msgstr "1 Abril 2023"

#. type: TH
#: opensuse-leap-15-6
#, no-wrap
msgid "Linux man-pages 6.04"
msgstr "Linux man-pages 6.04"