In order to create a nested user namespace, we need to re-set the PR_SET_DUMPABLE attribute after switching the effective UID/GID. Clarify this in the section about nested user namespaces. Having this note would have saved me some time debugging. Signed-off-by: Rodrigo Campos <rodrigo@xxxxxxxxxxx> --- Thanks for the review. Is this okay now? :) I'm new to semantic new lines and doubted about how to split some parts :-) --- man7/user_namespaces.7 | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git man7/user_namespaces.7 man7/user_namespaces.7 index 3c376a9f0..3db79d9a2 100644 --- man7/user_namespaces.7 +++ man7/user_namespaces.7 @@ -91,6 +91,23 @@ The operation can be used to discover the parental relationship between user namespaces; see .BR ioctl_ns (2). +.PP +A task that changes one of its effective IDs +will have its dumpability reset to the value in +.IR /proc/sys/fs/suid_dumpable . +This may affect the ownership of proc files of child processes +and may thus cause the parent to lack the permissions +to write to mapping files of child processes running in a new user namespace. +In such cases making the parent process dumpable, using +.B PR_SET_DUMPABLE +in a call to +.BR prctl (2), +before creating a child process in a new user namespace may rectify this problem. +See +.BR prctl (2) +and +.BR proc (5) +for details on how ownership is affected. .\" .\" ============================================================ .\" -- 2.39.2
