Hi Eric, Ping!
Cheers, Michael On 2 February 2015 at 16:36, Michael Kerrisk (man-pages) <mtk.manpa...@gmail.com> wrote: > [Adding Josh to CC in case he has anything to add.] > > On 12/12/2014 10:54 PM, Eric W. Biederman wrote: >> >> Signed-off-by: Eric W. Biederman <ebied...@xmission.com> >> --- >> man5/proc.5 | 15 +++++++++++++++ >> 1 file changed, 15 insertions(+) >> >> diff --git a/man5/proc.5 b/man5/proc.5 >> index 96077d0dd195..d661e8cfeac9 100644 >> --- a/man5/proc.5 >> +++ b/man5/proc.5 >> @@ -1097,6 +1097,21 @@ are not available if the main thread has already >> terminated >> .\" Added in 2.6.9 >> .\" CONFIG_SCHEDSTATS >> .TP >> +.IR /proc/[pid]/setgroups " (since Linux 3.19-rc1)" >> +This file reports >> +.BR allow >> +if the setgroups system call is allowed in the current user namespace. >> +This file reports >> +.BR deny >> +if the setgroups system call is not allowed in the current user namespace. >> +This file may be written to with values of >> +.BR allow >> +and >> +.BR deny >> +before >> +.IR /proc/[pid]/gid_map >> +is written to (enabling setgroups) in a user namespace. >> +.TP >> .IR /proc/[pid]/smaps " (since Linux 2.6.14)" >> This file shows memory consumption for each of the process's mappings. >> (The > > Hi Eric, > > Thanks for this patch. I applied it, and then tried to work in > quite a few other details gleaned from the source code and commit > message, and Jon Corbet's article at http://lwn.net/Articles/626665/. > Could you please let me know if the following is correct: > > /proc/[pid]/setgroups (since Linux 3.19) > This file displays the string "allow" if processes in > the user namespace that contains the process pid are > permitted to employ the setgroups(2) system call, and > "deny" if setgroups(2) is not permitted in that user > namespace. > > A privileged process (one with the CAP_SYS_ADMIN capa‐ > bility in the namespace) may write either of the strings > "allow" or "deny" to this file before writing a group ID > mapping for this user namespace to the file > /proc/[pid]/gid_map. Writing the string "deny" prevents > any process in the user namespace from employing set‐ > groups(2). > > The default value of this file in the initial user > namespace is "allow". > > Once /proc/[pid]/gid_map has been written to (which has > the effect of enabling setgroups(2) in the user names‐ > pace), it is no longer possible to deny setgroups(2) by > writing to /proc/[pid]/setgroups. > > A child user namespace inherits the /proc/[pid]/gid_map > setting from its parent. > > If the setgroups file has the value "deny", then the > setgroups(2) system call can't subsequently be reenabled > (by writing "allow" to the file) in this user namespace. > This restriction also propagates down to all child user > namespaces of this user namespace. > > Thanks, > > Michael > > -- > Michael Kerrisk > Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ > Linux/UNIX System Programming Training: http://man7.org/training/ -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
