Hello Alex,
On Sun, Mar 12, 2023 at 12:25:12AM +0100, Alejandro Colomar wrote:
> Hi Helge,
>
> On 3/11/23 18:13, Helge Kreutzmann wrote:
> > Without further ado, the following was found:
> >
> > Issue: /proc/I<pid>/setgroups → I</proc/>pidI</setgroups
>
> I don't find this. Please report with more context.
Writing "deny" to the /proc/pid/setgroups file before writing to /proc/pid/gid_map will permanently disable setgroups(2) in a user namespace and allow writing to /proc/pid/gid_map without having the CAP_SETGID capability in the
parent user namespace.
The /proc/pid/setgroups file
The /proc/pid/setgroups file displays the string "allow" if processes in the user namespace that contains the process pid are permitted to employ the setgroups(2) system call; it displays "deny" if setgroups(2) is not permitted
in that user namespace. Note that regardless of the value in the /proc/pid/setgroups file (and regardless of the process's capabilities), calls to setgroups(2) are also not permitted if /proc/pid/gid_map has not yet been set.
> Cheers,
>
> Alex
>
> >
> > "The /proc/I<pid>/setgroups file"
I assume this is as intended, i.e. like in the other bug report
where you said you fixed it the other way around?
Then I add a WONTFIX, of course.
Greetings
Helge
--
Dr. Helge Kreutzmann debian@xxxxxxxxxxxxx
Dipl.-Phys. http://www.helgefjell.de/debian.php
64bit GNU powered gpg signed mail preferred
Help keep free software "libre": http://www.ffii.de/
Attachment:
signature.asc
Description: PGP signature
