Hi Eric,
On Tue, Jan 1, 2013 at 11:12 AM, Eric W. Biederman
<[email protected]> wrote:
> "Michael Kerrisk (man-pages)" <[email protected]> writes:
>
>> Hi Eric,
>>
>> On Fri, Dec 28, 2012 at 10:20 PM, Eric W. Biederman
>> <[email protected]> wrote:
>>> "Michael Kerrisk (man-pages)" <[email protected]> writes:
>>
>> [...]
>>
>>>>> For writing you are correct about the mapping to the parent (but that is
>>>>> not an exception that is a restriction on who can write to the file).
>>>>
>>>> So, by the way, I added this sentence to the page:
>>>>
>>>> In order to write to the /proc/[pid]/uid_map
>>>> (/proc/[pid]/gid_map) file, a process must have the
>>>> CAP_SETUID (CAP_SETGID) capability in the user namespace
>>>> of the process pid.
>>>>
>>>> Is that correct?
>>>
>>> Yes.
>>>
>>>> But, there appear to be more rules than this governing whether a
>>>> process can write to the file (i.e., various other -EPERM cases). What
>>>> are the rules?
>>>
>>> In general you must also have CAP_SETUID (CAP_SETGID) in the parent user
>>> namespace as well. The one exception to that is if you are mapping
>>> your current uid and gid.
>>
>> Can you clarify what you mean by "mapping your own UID and GID" please
>> (i.e., who is "you" in that sentence).
>
> At the time of clone() or unshare() that creates a new user namespace,
> the kuid and the kgid of the process does not change.
>
> setuid and setgid fail before any mappings are set up.
>
> Therefore the caller is allowed to map any single uid to the uid of the
> caller in the parent user namespace. Likewise the caller is allowed to
> map any single gid to the gid of the caller in the parent user
> namespace.
So, then is the following text now correct and complete:
In order for a process to write to the /proc/[pid]/uid_map
(/proc/[pid]/gid_map) file, the following requirements must be
met:
* The process must have the CAP_SETUID (CAP_SETGID) capability
in the user namespace of the process pid.
* The process must have the CAP_SETUID (CAP_SETGID) capability
in the parent user namespace. There is an exception to this
requirement: a process writing to uid_map (gid_map) is
allowed to map any single UID (GID) to the file system UID
(GID) of the caller in the parent user namespace.
* The process must be in either the user namespace of the
process pid or inside the parent user namespace of the
process pid.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Author of "The Linux Programming Interface"; http://man7.org/tlpi/
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
