Re: [PATCH 1/2] proc.5: Document /proc/[pid]/setgroups

From: Michael Kerrisk (man-pages)
Date: Mon Feb 02 2015 - 10:37:06 EST

Next message: Mark Rutland: "Re: [PATCH 1/2] arm64: adding cpu lookup functionality"
Previous message: Michael Kerrisk (man-pages): "Re: [PATCH] umount.2: Document the effect of shared subtrees on umount"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Adding Josh to CC in case he has anything to add.]

On 12/12/2014 10:54 PM, Eric W. Biederman wrote:
>
> Signed-off-by: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
> ---
> man5/proc.5 | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/man5/proc.5 b/man5/proc.5
> index 96077d0dd195..d661e8cfeac9 100644
> --- a/man5/proc.5
> +++ b/man5/proc.5
> @@ -1097,6 +1097,21 @@ are not available if the main thread has already terminated
> .\" Added in 2.6.9
> .\" CONFIG_SCHEDSTATS
> .TP
> +.IR /proc/[pid]/setgroups " (since Linux 3.19-rc1)"
> +This file reports
> +.BR allow
> +if the setgroups system call is allowed in the current user namespace.
> +This file reports
> +.BR deny
> +if the setgroups system call is not allowed in the current user namespace.
> +This file may be written to with values of
> +.BR allow
> +and
> +.BR deny
> +before
> +.IR /proc/[pid]/gid_map
> +is written to (enabling setgroups) in a user namespace.
> +.TP
> .IR /proc/[pid]/smaps " (since Linux 2.6.14)"
> This file shows memory consumption for each of the process's mappings.
> (The

Hi Eric,

Thanks for this patch. I applied it, and then tried to work in
quite a few other details gleaned from the source code and commit
message, and Jon Corbet's article at http://lwn.net/Articles/626665/.
Could you please let me know if the following is correct:

/proc/[pid]/setgroups (since Linux 3.19)
This file displays the string "allow" if processes in
the user namespace that contains the process pid are
permitted to employ the setgroups(2) system call, and
"deny" if setgroups(2) is not permitted in that user
namespace.

A privileged process (one with the CAP_SYS_ADMIN capaâ
bility in the namespace) may write either of the strings
"allow" or "deny" to this file before writing a group ID
mapping for this user namespace to the file
/proc/[pid]/gid_map. Writing the string "deny" prevents
any process in the user namespace from employing setâ
groups(2).

The default value of this file in the initial user
namespace is "allow".

Once /proc/[pid]/gid_map has been written to (which has
the effect of enabling setgroups(2) in the user namesâ
pace), it is no longer possible to deny setgroups(2) by
writing to /proc/[pid]/setgroups.

A child user namespace inherits the /proc/[pid]/gid_map
setting from its parent.

If the setgroups file has the value "deny", then the
setgroups(2) system call can't subsequently be reenabled
(by writing "allow" to the file) in this user namespace.
This restriction also propagates down to all child user
namespaces of this user namespace.

Thanks,

Michael

--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mark Rutland: "Re: [PATCH 1/2] arm64: adding cpu lookup functionality"
Previous message: Michael Kerrisk (man-pages): "Re: [PATCH] umount.2: Document the effect of shared subtrees on umount"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]