Hi Rodrigo, On 4/1/23 14:59, Rodrigo Campos wrote: > In order to create a nested user namespace, we need to re-set the > PR_SET_DUMPABLE attribute after switching the effective UID/GID. Clarify > this in the section about nested user namespaces. > > Having this note would have saved me some time debugging. > > Signed-off-by: Rodrigo Campos <rodrigo@xxxxxxxxxxx> > --- > > Thanks for the review. Is this okay now? :) Yep :) > > I'm new to semantic new lines and doubted about how to split some parts :-)\ Looks good. I applied the patch. Thanks, Alex > > --- > man7/user_namespaces.7 | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git man7/user_namespaces.7 man7/user_namespaces.7 > index 3c376a9f0..3db79d9a2 100644 > --- man7/user_namespaces.7 > +++ man7/user_namespaces.7 > @@ -91,6 +91,23 @@ The > operation can be used to discover the parental relationship > between user namespaces; see > .BR ioctl_ns (2). > +.PP > +A task that changes one of its effective IDs > +will have its dumpability reset to the value in > +.IR /proc/sys/fs/suid_dumpable . > +This may affect the ownership of proc files of child processes > +and may thus cause the parent to lack the permissions > +to write to mapping files of child processes running in a new user namespace. > +In such cases making the parent process dumpable, using > +.B PR_SET_DUMPABLE > +in a call to > +.BR prctl (2), > +before creating a child process in a new user namespace may rectify this problem. > +See > +.BR prctl (2) > +and > +.BR proc (5) > +for details on how ownership is affected. > .\" > .\" ============================================================ > .\" -- <http://www.alejandro-colomar.es/> GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
