Hi Helge, On 3/12/23 06:06, Helge Kreutzmann wrote: > Hello Alex, > On Sun, Mar 12, 2023 at 12:25:12AM +0100, Alejandro Colomar wrote: >> Hi Helge, >> >> On 3/11/23 18:13, Helge Kreutzmann wrote: >>> Without further ado, the following was found: >>> >>> Issue: /proc/I<pid>/setgroups → I</proc/>pidI</setgroups >> >> I don't find this. Please report with more context. > > Writing "deny" to the /proc/pid/setgroups file before writing to /proc/pid/gid_map will permanently disable setgroups(2) in a user namespace and allow writing to /proc/pid/gid_map without having the CAP_SETGID capability in the > parent user namespace. > > The /proc/pid/setgroups file > The /proc/pid/setgroups file displays the string "allow" if processes in the user namespace that contains the process pid are permitted to employ the setgroups(2) system call; it displays "deny" if setgroups(2) is not permitted > in that user namespace. Note that regardless of the value in the /proc/pid/setgroups file (and regardless of the process's capabilities), calls to setgroups(2) are also not permitted if /proc/pid/gid_map has not yet been set. > >> Cheers, >> >> Alex >> >>> >>> "The /proc/I<pid>/setgroups file" > > > I assume this is as intended, i.e. like in the other bug report > where you said you fixed it the other way around? > > Then I add a WONTFIX, of course. Ahh, now I understand. Since you didn't use B<> in the report, I didn't think you referred to the subsection heading. Now that I think, it should be inverted here too. The file name should be in italics, and the variable part in roman. Cheers, Alex > > Greetings > > Helge > -- <http://www.alejandro-colomar.es/> GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
