From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael Kerrisk (man-pages)" Subject: Re: For review: user_namespace(7) man page Date: Mon, 01 Sep 2014 18:58:12 +0200 Message-ID: <5404A5A4.2080108@gmail.com> References: <53F5310A.5080503@gmail.com> <20140822211215.GA26308@mail.hallyn.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <20140822211215.GA26308-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Serge E. Hallyn" Cc: "linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , richard.weinberger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, lkml , Andy Lutomirski , mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org, "Eric W. Biederman" List-Id: containers.vger.kernel.org T24gMDgvMjIvMjAxNCAxMToxMiBQTSwgU2VyZ2UgRS4gSGFsbHluIHdyb3RlOgo+IFF1b3Rpbmcg TWljaGFlbCBLZXJyaXNrIChtYW4tcGFnZXMpIChtdGsubWFucGFnZXNAZ21haWwuY29tKToKPj4g SGVsbG8gRXJpYyBldCBhbC4sCj4+Cj4+IEZvciB2YXJpb3VzIHJlYXNvbnMsIG15IHdvcmsgb24g dGhlIG5hbWVzcGFjZXMgbWFuIHBhZ2VzIAo+PiBmZWxsIG9mZiB0aGUgdGFibGUgYSB3aGlsZSBi YWNrLiBOZXZlcnRoZWxlc3MsIHRoZSBwYWdlcyBoYXZlCj4+IGJlZW4gY2xvc2UgdG8gY29tcGxl dGlvbiBmb3IgYSB3aGlsZSBub3csIGFuZCBJIHJlY2VudGx5IHJlc3RhcnRlZCwKPj4gaW4gYW4g ZWZmb3J0IHRvIGZpbmlzaCB0aGVtLiBBcyB5b3UgYWxzbyBub3RlZCB0byBtZSBmMmYsIHRoZXJl IGhhdmUKPj4gYmVlbiByZWNlbnRseSBiZWVuIHNvbWUgc21hbGwgbmFtZXNwYWNlIGNoYW5nZXMg dGhhdCB5b3UgbWF5IGFmZmVjdAo+PiB0aGUgY29udGVudCBvZiB0aGUgcGFnZXMuIFRoZXJlZm9y ZSwgSSdsbCB0YWtlIHRoZSBvcHBvcnR1bml0eSB0bwo+PiBzZW5kIHRoZSBuYW1lc3BhY2UtcmVs YXRlZCBwYWdlcyBvdXQgZm9yIGZ1cnRoZXIgKGZpbmFsPykgcmV2aWV3Lgo+Pgo+PiBTbywgaGVy ZSwgSSBzdGFydCB3aXRoIHRoZSB1c2VyX25hbWVzcGFjZXMoNykgcGFnZSwgd2hpY2ggaXMgc2hv d24gCj4+IGluIHJlbmRlcmVkIGZvcm0gYmVsb3csIHdpdGggc291cmNlIGF0dGFjaGVkIHRvIHRo aXMgbWFpbC4gSSdsbAo+PiBzZW5kIHZhcmlvdXMgb3RoZXIgcGFnZXMgaW4gZm9sbG93LW9uIG1h aWxzLgo+Pgo+PiBSZXZpZXcgY29tbWVudHMvc3VnZ2VzdGlvbnMgZm9yIGltcHJvdmVtZW50cyAv IGJ1ZyBmaXhlcyB3ZWxjb21lLgo+Pgo+PiBDaGVlcnMsCj4+Cj4+IE1pY2hhZWwKPj4KPj4gPT0K Pj4KPj4gTkFNRQo+PiAgICAgICAgdXNlcl9uYW1lc3BhY2VzIC0gb3ZlcnZpZXcgb2YgTGludXgg dXNlcl9uYW1lc3BhY2VzCj4+Cj4+IERFU0NSSVBUSU9OCj4+ICAgICAgICBGb3IgYW4gb3ZlcnZp ZXcgb2YgbmFtZXNwYWNlcywgc2VlIG5hbWVzcGFjZXMoNykuCj4+Cj4+ICAgICAgICBVc2VyICAg bmFtZXNwYWNlcyAgIGlzb2xhdGUgICBzZWN1cml0eS1yZWxhdGVkICAgaWRlbnRpZmllcnMgIGFu ZAo+PiAgICAgICAgYXR0cmlidXRlcywgaW4gcGFydGljdWxhciwgdXNlciBJRHMgYW5kIGdyb3Vw ICBJRHMgIChzZWUgIGNyZWRlbuKAkAo+PiAgICAgICAgdGlhbHMoNyksIHRoZSByb290IGRpcmVj dG9yeSwga2V5cyAoc2VlIGtleWN0bCgyKSksIGFuZCBjYXBhYmlsaeKAkAo+PiAgICAgICAgdGll cyAoc2VlIGNhcGFiaWxpdGllcyg3KSkuICBBIHByb2Nlc3MncyB1c2VyIGFuZCBncm91cCAgSURz ICBjYW4KPj4gICAgICAgIGJlIGRpZmZlcmVudCBpbnNpZGUgYW5kIG91dHNpZGUgYSB1c2VyIG5h bWVzcGFjZS4gIEluIHBhcnRpY3VsYXIsCj4+ICAgICAgICBhIHByb2Nlc3MgY2FuIGhhdmUgYSBu b3JtYWwgdW5wcml2aWxlZ2VkIHVzZXIgSUQgb3V0c2lkZSAgYSAgdXNlcgo+PiAgICAgICAgbmFt ZXNwYWNlIHdoaWxlIGF0IHRoZSBzYW1lIHRpbWUgaGF2aW5nIGEgdXNlciBJRCBvZiAwIGluc2lk ZSB0aGUKPj4gICAgICAgIG5hbWVzcGFjZTsgaW4gb3RoZXIgd29yZHMsIHRoZSBwcm9jZXNzIGhh cyAgZnVsbCAgcHJpdmlsZWdlcyAgZm9yCj4+ICAgICAgICBvcGVyYXRpb25zICBpbnNpZGUgIHRo ZSAgdXNlciAgbmFtZXNwYWNlLCBidXQgaXMgdW5wcml2aWxlZ2VkIGZvcgo+PiAgICAgICAgb3Bl cmF0aW9ucyBvdXRzaWRlIHRoZSBuYW1lc3BhY2UuCj4+Cj4+ICAgIE5lc3RlZCBuYW1lc3BhY2Vz LCBuYW1lc3BhY2UgbWVtYmVyc2hpcAo+PiAgICAgICAgVXNlciBuYW1lc3BhY2VzIGNhbiBiZSBu ZXN0ZWQ7ICB0aGF0ICBpcywgIGVhY2ggIHVzZXIgIG5hbWVzcGFjZeKAlAo+PiAgICAgICAgZXhj ZXB0ICB0aGUgIGluaXRpYWwgICgicm9vdCIpIG5hbWVzcGFjZeKAlGhhcyBhIHBhcmVudCB1c2Vy IG5hbWVz4oCQCj4+ICAgICAgICBwYWNlLCBhbmQgY2FuIGhhdmUgemVybyBvciBtb3JlIGNoaWxk IHVzZXIgbmFtZXNwYWNlcy4gIFRoZSAgcGFy4oCQCj4+ICAgICAgICBlbnQgdXNlciBuYW1lc3Bh Y2UgaXMgdGhlIHVzZXIgbmFtZXNwYWNlIG9mIHRoZSBwcm9jZXNzIHRoYXQgY3Jl4oCQCj4+ICAg ICAgICBhdGVzIHRoZSB1c2VyIG5hbWVzcGFjZSB2aWEgYSBjYWxsIHRvIHVuc2hhcmUoMikgb3Ig Y2xvbmUoMikgd2l0aAo+PiAgICAgICAgdGhlIENMT05FX05FV1VTRVIgZmxhZy4KPj4KPj4gICAg ICAgIFRoZSBrZXJuZWwgaW1wb3NlcyAoc2luY2UgdmVyc2lvbiAzLjExKSBhIGxpbWl0IG9mIDMy IG5lc3RlZCBsZXbigJAKPj4gICAgICAgIGVscyBvZiB1c2VyIG5hbWVzcGFjZXMuICBDYWxscyB0 byAgdW5zaGFyZSgyKSAgb3IgIGNsb25lKDIpICB0aGF0Cj4+ICAgICAgICB3b3VsZCBjYXVzZSB0 aGlzIGxpbWl0IHRvIGJlIGV4Y2VlZGVkIGZhaWwgd2l0aCB0aGUgZXJyb3IgRVVTRVJTLgo+Pgo+ PiAgICAgICAgRWFjaCAgcHJvY2VzcyAgaXMgIGEgIG1lbWJlciAgb2YgIGV4YWN0bHkgIG9uZSB1 c2VyIG5hbWVzcGFjZS4gIEEKPj4gICAgICAgIHByb2Nlc3MgY3JlYXRlZCB2aWEgZm9yaygyKSBv ciBjbG9uZSgyKSB3aXRob3V0IHRoZSBDTE9ORV9ORVdVU0VSCj4+ICAgICAgICBmbGFnICBpcyAg YSAgbWVtYmVyICBvZiB0aGUgc2FtZSB1c2VyIG5hbWVzcGFjZSBhcyBpdHMgcGFyZW50LiAgQQo+ PiAgICAgICAgcHJvY2VzcyBjYW4gam9pbiBhbm90aGVyIHVzZXIgbmFtZXNwYWNlIHdpdGggc2V0 bnMoMikgaWYgIGl0ICBoYXMKPj4gICAgICAgIHRoZSAgQ0FQX1NZU19BRE1JTiAgaW4gIHRoYXQg bmFtZXNwYWNlOyB1cG9uIGRvaW5nIHNvLCBpdCBnYWlucyBhCj4+ICAgICAgICBmdWxsIHNldCBv ZiBjYXBhYmlsaXRpZXMgaW4gdGhhdCBuYW1lc3BhY2UuCj4+Cj4+ICAgICAgICBBIGNhbGwgdG8g Y2xvbmUoMikgb3IgIHVuc2hhcmUoMikgIHdpdGggIHRoZSAgQ0xPTkVfTkVXVVNFUiAgZmxhZwo+ PiAgICAgICAgbWFrZXMgIHRoZSAgbmV3ICBjaGlsZCAgcHJvY2VzcyAoZm9yIGNsb25lKDIpKSBv ciB0aGUgY2FsbGVyIChmb3IKPj4gICAgICAgIHVuc2hhcmUoMikpIGEgbWVtYmVyIG9mIHRoZSBu ZXcgdXNlciAgbmFtZXNwYWNlICBjcmVhdGVkICBieSAgdGhlCj4+ICAgICAgICBjYWxsLgo+Pgo+ PiAgICBDYXBhYmlsaXRpZXMKPj4gICAgICAgIFRoZSBjaGlsZCBwcm9jZXNzIGNyZWF0ZWQgYnkg Y2xvbmUoMikgd2l0aCB0aGUgQ0xPTkVfTkVXVVNFUiBmbGFnCj4+ICAgICAgICBzdGFydHMgb3V0 IHdpdGggYSBjb21wbGV0ZSBzZXQgb2YgY2FwYWJpbGl0aWVzIGluICB0aGUgIG5ldyAgdXNlcgo+ PiAgICAgICAgbmFtZXNwYWNlLiAgTGlrZXdpc2UsIGEgcHJvY2VzcyB0aGF0IGNyZWF0ZXMgYSBu ZXcgdXNlciBuYW1lc3BhY2UKPj4gICAgICAgIHVzaW5nIHVuc2hhcmUoMikgIG9yICBqb2lucyAg YW4gIGV4aXN0aW5nICB1c2VyICBuYW1lc3BhY2UgIHVzaW5nCj4+ICAgICAgICBzZXRucygyKSAg Z2FpbnMgYSBmdWxsIHNldCBvZiBjYXBhYmlsaXRpZXMgaW4gdGhhdCBuYW1lc3BhY2UuICBPbgo+ PiAgICAgICAgdGhlIG90aGVyIGhhbmQsIHRoYXQgcHJvY2VzcyBoYXMgbm8gY2FwYWJpbGl0aWVz ICBpbiAgdGhlICBwYXJlbnQKPj4gICAgICAgIChpbiAgdGhlIGNhc2Ugb2YgY2xvbmUoMikpIG9y IHByZXZpb3VzIChpbiB0aGUgY2FzZSBvZiB1bnNoYXJlKDIpCj4+ICAgICAgICBhbmQgc2V0bnMo MikpIHVzZXIgbmFtZXNwYWNlLCBldmVuIGlmIHRoZSBuZXcgbmFtZXNwYWNlICBpcyAgY3Jl4oCQ Cj4+ICAgICAgICBhdGVkICBvciAgam9pbmVkIGJ5IHRoZSByb290IHVzZXIgKGkuZS4sIGEgcHJv Y2VzcyB3aXRoIHVzZXIgSUQgMAo+PiAgICAgICAgaW4gdGhlIHJvb3QgbmFtZXNwYWNlKS4KPj4K Pj4gICAgICAgIE5vdGUgdGhhdCBhIGNhbGwgdG8gZXhlY3ZlKDIpIHdpbGwgY2F1c2UgYSBwcm9j ZXNzICB0byAgbG9zZSAgYW55Cj4+ICAgICAgICBjYXBhYmlsaXRpZXMgdGhhdCBpdCBoYXMsIHVu bGVzcyBpdCBoYXMgYSB1c2VyIElEIG9mIDAgd2l0aGluIHRoZQo+PiAgICAgICAgbmFtZXNwYWNl LiAgU2VlIHRoZSBkaXNjdXNzaW9uIG9mIHVzZXIgIGFuZCAgZ3JvdXAgIElEICBtYXBwaW5ncywK Pj4gICAgICAgIGJlbG93Lgo+IAo+IFRoZSBhYm92ZSBpcyBhbiBhcHByb3hpbWF0aW9uLCBidXQg YSBiaXQgbWlzbGVhZGluZy4gIE9uIGV4ZWMsIHRoZSB0YXNrCj4gY2FwYWJpbGl0eSBzZXQgaXMg cmVjYWxjdWxhdGVkIGFjY29yZGluZyB0byB0aGUgdXN1YWwgcnVsZXMuICBTbyBpZiB0aGUKPiBm aWxlIGJlaW5nIGV4ZWN1dGVkIGhhcyBmaWxlIGNhcGFiaWxpdGllcywgdGhlIHJlc3VsdCB0YXNr IG1heSBlbmQgdXAKPiB3aXRoIGNhcGFiaWxpdGllcyBldmVuIGlmIGl0IGlzIG5vdCByb290IChl dmVuIGlmIGl0IGlzIHVpZCAtMSkuCj4gCj4gUGVyaGFwcyBpdCBzaG91bGQgYmUgcGhyYXNlZCBh czoKPiAKPiAgICAgICAgIE5vdGUgdGhhdCBhIGNhbGwgdG8gZXhlY3ZlKDIpIHdpbGwgY2F1c2Ug YSBwcm9jZXNzJyBjYXBhYmlsaXRpZXMKPiAJdG8gYmUgcmVjYWxjdWxhdGVkIChzZWUgY2FwYWJp bGl0aWVzKDcpKSwgc28gdGhhdCB1c3VhbGx5LCB1bmxlc3MKPiAJaXQgaGFzIGEgdXNlciBJRCBv ZiAwIHdpdGhpbiB0aGUgbmFtZXNwYWNlLCBpdCB3aWxsIGxvc2UgYWxsCj4gCWNhcGFiaWxpdGll cy4gIFNlZSB0aGUgZGlzY3Vzc2lvbiBvZiB1c2VyICBhbmQgIGdyb3VwICBJRCAgbWFwcGluZ3Ms Cj4gICAgICAgICBiZWxvdy4KClRoYW5rcywgU2VyZ2UuIENoYW5nZWQgYXMgeW91IHN1Z2dlc3Qu CgpDaGVlcnMsCgpNaWNoYWVsCgoKCi0tIApNaWNoYWVsIEtlcnJpc2sKTGludXggbWFuLXBhZ2Vz IG1haW50YWluZXI7IGh0dHA6Ly93d3cua2VybmVsLm9yZy9kb2MvbWFuLXBhZ2VzLwpMaW51eC9V TklYIFN5c3RlbSBQcm9ncmFtbWluZyBUcmFpbmluZzogaHR0cDovL21hbjcub3JnL3RyYWluaW5n LwpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpDb250YWlu ZXJzIG1haWxpbmcgbGlzdApDb250YWluZXJzQGxpc3RzLmxpbnV4LWZvdW5kYXRpb24ub3JnCmh0 dHBzOi8vbGlzdHMubGludXhmb3VuZGF0aW9uLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2NvbnRhaW5l cnM= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754721AbaIARb4 (ORCPT ); Mon, 1 Sep 2014 13:31:56 -0400 Received: from mail-la0-f48.google.com ([209.85.215.48]:46060 "EHLO mail-la0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754700AbaIARbw (ORCPT ); Mon, 1 Sep 2014 13:31:52 -0400 Message-ID: <5404A5A4.2080108@gmail.com> Date: Mon, 01 Sep 2014 18:58:12 +0200 From: "Michael Kerrisk (man-pages)" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0 MIME-Version: 1.0 To: "Serge E. Hallyn" CC: mtk.manpages@gmail.com, "Eric W. Biederman" , lkml , "linux-man@vger.kernel.org" , containers@lists.linux-foundation.org, Andy Lutomirski , richard.weinberger@gmail.com Subject: Re: For review: user_namespace(7) man page References: <53F5310A.5080503@gmail.com> <20140822211215.GA26308@mail.hallyn.com> In-Reply-To: <20140822211215.GA26308@mail.hallyn.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08/22/2014 11:12 PM, Serge E. Hallyn wrote: > Quoting Michael Kerrisk (man-pages) (mtk.manpages@gmail.com): >> Hello Eric et al., >> >> For various reasons, my work on the namespaces man pages >> fell off the table a while back. Nevertheless, the pages have >> been close to completion for a while now, and I recently restarted, >> in an effort to finish them. As you also noted to me f2f, there have >> been recently been some small namespace changes that you may affect >> the content of the pages. Therefore, I'll take the opportunity to >> send the namespace-related pages out for further (final?) review. >> >> So, here, I start with the user_namespaces(7) page, which is shown >> in rendered form below, with source attached to this mail. I'll >> send various other pages in follow-on mails. >> >> Review comments/suggestions for improvements / bug fixes welcome. >> >> Cheers, >> >> Michael >> >> == >> >> NAME >> user_namespaces - overview of Linux user_namespaces >> >> DESCRIPTION >> For an overview of namespaces, see namespaces(7). >> >> User namespaces isolate security-related identifiers and >> attributes, in particular, user IDs and group IDs (see creden‐ >> tials(7), the root directory, keys (see keyctl(2)), and capabili‐ >> ties (see capabilities(7)). A process's user and group IDs can >> be different inside and outside a user namespace. In particular, >> a process can have a normal unprivileged user ID outside a user >> namespace while at the same time having a user ID of 0 inside the >> namespace; in other words, the process has full privileges for >> operations inside the user namespace, but is unprivileged for >> operations outside the namespace. >> >> Nested namespaces, namespace membership >> User namespaces can be nested; that is, each user namespace— >> except the initial ("root") namespace—has a parent user names‐ >> pace, and can have zero or more child user namespaces. The par‐ >> ent user namespace is the user namespace of the process that cre‐ >> ates the user namespace via a call to unshare(2) or clone(2) with >> the CLONE_NEWUSER flag. >> >> The kernel imposes (since version 3.11) a limit of 32 nested lev‐ >> els of user namespaces. Calls to unshare(2) or clone(2) that >> would cause this limit to be exceeded fail with the error EUSERS. >> >> Each process is a member of exactly one user namespace. A >> process created via fork(2) or clone(2) without the CLONE_NEWUSER >> flag is a member of the same user namespace as its parent. A >> process can join another user namespace with setns(2) if it has >> the CAP_SYS_ADMIN in that namespace; upon doing so, it gains a >> full set of capabilities in that namespace. >> >> A call to clone(2) or unshare(2) with the CLONE_NEWUSER flag >> makes the new child process (for clone(2)) or the caller (for >> unshare(2)) a member of the new user namespace created by the >> call. >> >> Capabilities >> The child process created by clone(2) with the CLONE_NEWUSER flag >> starts out with a complete set of capabilities in the new user >> namespace. Likewise, a process that creates a new user namespace >> using unshare(2) or joins an existing user namespace using >> setns(2) gains a full set of capabilities in that namespace. On >> the other hand, that process has no capabilities in the parent >> (in the case of clone(2)) or previous (in the case of unshare(2) >> and setns(2)) user namespace, even if the new namespace is cre‐ >> ated or joined by the root user (i.e., a process with user ID 0 >> in the root namespace). >> >> Note that a call to execve(2) will cause a process to lose any >> capabilities that it has, unless it has a user ID of 0 within the >> namespace. See the discussion of user and group ID mappings, >> below. > > The above is an approximation, but a bit misleading. On exec, the task > capability set is recalculated according to the usual rules. So if the > file being executed has file capabilities, the result task may end up > with capabilities even if it is not root (even if it is uid -1). > > Perhaps it should be phrased as: > > Note that a call to execve(2) will cause a process' capabilities > to be recalculated (see capabilities(7)), so that usually, unless > it has a user ID of 0 within the namespace, it will lose all > capabilities. See the discussion of user and group ID mappings, > below. Thanks, Serge. Changed as you suggest. Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/