In order to create a nested user namespace, we need to re-set the PR_SET_DUMPABLE attribute after switching the effective UID/GID. Clarify this in the section about nested user namespaces. Having this note would have saved me some time debugging. Signed-off-by: Rodrigo Campos <rodrigo@xxxxxxxxxxx> --- man7/user_namespaces.7 | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git man7/user_namespaces.7 man7/user_namespaces.7 index 6647b02bf..18d85a5d6 100644 --- man7/user_namespaces.7 +++ man7/user_namespaces.7 @@ -91,6 +91,23 @@ The operation can be used to discover the parental relationship between user namespaces; see .BR ioctl_ns (2). +.PP +When creating a user namespace is often common to change the effective UID and +GID of the process to the ones in the user namespace. Bear in mind that doing +so, as described in +.BR prctl (2), +the +.B PR_SET_DUMPABLE +attribute is reset. +If a process is not dumpable, +the ownership of files in the process's +.IR /proc/ pid +directory is affected as described in +.BR proc (5). +Therefore, you may want to reset +.B PR_SET_DUMPABLE +after changing the effective UID/GID, in order to be allowed to write the +mapping files of a nested user namespace. .\" .\" ============================================================ .\" -- 2.39.2
