On Wed, Mar 08, 2023 at 04:22:19PM +0100, Rodrigo Campos wrote: > In order to create a nested user namespace, we need to re-set the > PR_SET_DUMPABLE attribute after switching the effective UID/GID. Clarify > this in the section about nested user namespaces. > > Having this note would have saved me some time debugging. > > Signed-off-by: Rodrigo Campos <rodrigo@xxxxxxxxxxx> > --- > man7/user_namespaces.7 | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git man7/user_namespaces.7 man7/user_namespaces.7 > index 6647b02bf..18d85a5d6 100644 > --- man7/user_namespaces.7 > +++ man7/user_namespaces.7 > @@ -91,6 +91,23 @@ The > operation can be used to discover the parental relationship > between user namespaces; see > .BR ioctl_ns (2). > +.PP > +When creating a user namespace is often common to change the effective UID and > +GID of the process to the ones in the user namespace. Bear in mind that doing > +so, as described in > +.BR prctl (2), > +the > +.B PR_SET_DUMPABLE > +attribute is reset. > +If a process is not dumpable, > +the ownership of files in the process's > +.IR /proc/ pid > +directory is affected as described in > +.BR proc (5). > +Therefore, you may want to reset > +.B PR_SET_DUMPABLE > +after changing the effective UID/GID, in order to be allowed to write the > +mapping files of a nested user namespace. I would probably phrase this sm like: "A task that changes one of its effective ids will have its dumpability reset to the value in /proc/sys/fs/suid_dumpable. This may affect the ownership of proc files of child processes and may thus cause the parent to lack the permissions to write to mapping files of child processes running in a new user namespace. In such cases making the parent process dumpable before creating a child process in a new user namespace may rectify this problem. See prctl (2) and proc (5) for details on how ownership is affected."
