In order to create a nested user namespace, we need to re-set the PR_SET_DUMPABLE attribute after switching the effective UID/GID. Clarify this in the section about nested user namespaces. Having this note would have saved me some time debugging. Signed-off-by: Rodrigo Campos <rodrigo@xxxxxxxxxxx> --- Thanks, so how about this instead? --- man7/user_namespaces.7 | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git man7/user_namespaces.7 man7/user_namespaces.7 index 6647b02bf..6bc04bde5 100644 --- man7/user_namespaces.7 +++ man7/user_namespaces.7 @@ -91,6 +91,22 @@ The operation can be used to discover the parental relationship between user namespaces; see .BR ioctl_ns (2). +.PP +A task that changes one of its effective IDs will have its dumpability +reset to the value in /proc/sys/fs/suid_dumpable. This may affect the +ownership of proc files of child processes and may thus cause the parent +to lack the permissions to write to mapping files of child processes +running in a new user namespace. In such cases making the parent process +dumpable, using +.B PR_SET_DUMPABLE +in a call to +.BR prctl (2), +before creating a child process in a new user namespace may +rectify this problem. See +.BR prctl (2) +and +.BR proc (5) +for details on how ownership is affected. .\" .\" ============================================================ .\" -- 2.39.2
