diff options
author | Rodrigo Campos <rodrigo@sdfg.com.ar> | 2023-04-01 14:59:26 +0200 |
---|---|---|
committer | Alejandro Colomar <alx@kernel.org> | 2023-04-01 16:23:25 +0200 |
commit | 6aba08c6d65d92aa539633724ca8b3b9a43914e0 (patch) | |
tree | 0479ed0595cdf2a701f4b5a41d3c8fbc305d31dc | |
parent | 5b116edbe587e749cfb5bd9c34ed2d8d635f77a8 (diff) |
user_namespaces.7: Add note about PR_SET_DUMPABLE on nested userns
In order to create a nested user namespace, we need to re-set the
PR_SET_DUMPABLE attribute after switching the effective UID/GID. Clarify
this in the section about nested user namespaces.
Having this note would have saved me some time debugging.
Signed-off-by: Rodrigo Campos <rodrigo@sdfg.com.ar>
Cc: Christian Brauner <brauner@kernel.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
-rw-r--r-- | man7/user_namespaces.7 | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index 3c376a9f0..3db79d9a2 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -91,6 +91,23 @@ The operation can be used to discover the parental relationship between user namespaces; see .BR ioctl_ns (2). +.PP +A task that changes one of its effective IDs +will have its dumpability reset to the value in +.IR /proc/sys/fs/suid_dumpable . +This may affect the ownership of proc files of child processes +and may thus cause the parent to lack the permissions +to write to mapping files of child processes running in a new user namespace. +In such cases making the parent process dumpable, using +.B PR_SET_DUMPABLE +in a call to +.BR prctl (2), +before creating a child process in a new user namespace may rectify this problem. +See +.BR prctl (2) +and +.BR proc (5) +for details on how ownership is affected. .\" .\" ============================================================ .\" |