Re: [PATCH] user_namespaces.7: Add note about PR_SET_DUMPABLE on nested userns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Rodrigo,

Thanks for the ping :)

On 3/8/23 18:03, Rodrigo Campos wrote:
> In order to create a nested user namespace, we need to re-set the
> PR_SET_DUMPABLE attribute after switching the effective UID/GID. Clarify
> this in the section about nested user namespaces.
> 
> Having this note would have saved me some time debugging.
> 
> Signed-off-by: Rodrigo Campos <rodrigo@xxxxxxxxxxx>
> ---
> 
> Thanks, so how about this instead?
> 
> ---
>  man7/user_namespaces.7 | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git man7/user_namespaces.7 man7/user_namespaces.7
> index 6647b02bf..6bc04bde5 100644
> --- man7/user_namespaces.7
> +++ man7/user_namespaces.7
> @@ -91,6 +91,22 @@ The
>  operation can be used to discover the parental relationship
>  between user namespaces; see
>  .BR ioctl_ns (2).
> +.PP
> +A task that changes one of its effective IDs will have its dumpability
> +reset to the value in /proc/sys/fs/suid_dumpable. This may affect the

Pathnames should be in italics:

.IR /proc/sys/fs/suid_dumpable .

Also, please use semantic newlines.  See man-pages(7):
   Use semantic newlines
       In the source of a manual page, new sentences should be started
       on  new  lines,  long  sentences  should be split into lines at
       clause breaks (commas, semicolons, colons, and so on), and long
       clauses should be split at phrase boundaries.  This convention,
       sometimes known as "semantic newlines", makes it easier to  see
       the  effect of patches, which often operate at the level of in‐
       dividual sentences, clauses, or phrases.

Thanks,

Alex


> +ownership of proc files of child processes and may thus cause the parent
> +to lack the permissions to write to mapping files of child processes
> +running in a new user namespace. In such cases making the parent process
> +dumpable, using
> +.B PR_SET_DUMPABLE
> +in a call to
> +.BR prctl (2),
> +before creating a child process in a new user namespace may
> +rectify this problem. See
> +.BR prctl (2)
> +and
> +.BR proc (5)
> +for details on how ownership is affected.
>  .\"
>  .\" ============================================================
>  .\"

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

[Index of Archives]     [Kernel Documentation]     [Netdev]     [Linux Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux