From: "Michael Kerrisk (man-pages)" <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: "linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
richard.weinberger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
lkml <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Subject: Re: For review: user_namespace(7) man page
Date: Tue, 09 Sep 2014 06:59:41 -0700 [thread overview]
Message-ID: <540F07CD.3080708@gmail.com> (raw)
In-Reply-To: <87d2bhfxvc.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
On 08/30/2014 02:53 PM, Eric W. Biederman wrote:
> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
[...]
>> The initial user namespace has no parent namespace, but, for con‐
>> sistency, the kernel provides dummy user and group ID mapping
>> files for this namespace. Looking at the uid_map file (gid_map
>> is the same) from a shell in the initial namespace shows:
>>
>> $ cat /proc/$$/uid_map
>> 0 0 4294967295
>>
>> This mapping tells us that the range starting at user ID 0 in
>> this namespace maps to a range starting at 0 in the (nonexistent)
>> parent namespace, and the length of the range is the largest
>> 32-bit unsigned integer.
>
> Which deliberately leaves 4294967295 32bit (-1) unmapped. (uid_t)-1 is
> used in several interfaces (like setreuid) as a way to specify no uid
> leaving it unmapped and unusuable guarantees that there will be no
> confusion when using those kernel methods.
So, I worked that piece into the text to give:
This mapping tells us that the range starting at user ID 0 in
this namespace maps to a range starting at 0 in the (nonexis‐
tent) parent namespace, and the length of the range is the
largest 32-bit unsigned integer. (This deliberately leaves
4294967295 (the 32-bit signed -1 value) unmapped. This is
deliberate: (uid_t) -1 is used in several interfaces (e.g.,
setreuid(2)) as a way to specify "no user ID". Leaving
setreuid(2)) unmapped and unusuable guarantees that there will
be no confusion when using these interfaces.
Okay?
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
WARNING: multiple messages have this Message-ID (diff)
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: mtk.manpages@gmail.com, lkml <linux-kernel@vger.kernel.org>,
"linux-man@vger.kernel.org" <linux-man@vger.kernel.org>,
containers@lists.linux-foundation.org,
Andy Lutomirski <luto@amacapital.net>,
richard.weinberger@gmail.com,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: For review: user_namespace(7) man page
Date: Tue, 09 Sep 2014 06:59:41 -0700 [thread overview]
Message-ID: <540F07CD.3080708@gmail.com> (raw)
In-Reply-To: <87d2bhfxvc.fsf@x220.int.ebiederm.org>
On 08/30/2014 02:53 PM, Eric W. Biederman wrote:
> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
[...]
>> The initial user namespace has no parent namespace, but, for con‐
>> sistency, the kernel provides dummy user and group ID mapping
>> files for this namespace. Looking at the uid_map file (gid_map
>> is the same) from a shell in the initial namespace shows:
>>
>> $ cat /proc/$$/uid_map
>> 0 0 4294967295
>>
>> This mapping tells us that the range starting at user ID 0 in
>> this namespace maps to a range starting at 0 in the (nonexistent)
>> parent namespace, and the length of the range is the largest
>> 32-bit unsigned integer.
>
> Which deliberately leaves 4294967295 32bit (-1) unmapped. (uid_t)-1 is
> used in several interfaces (like setreuid) as a way to specify no uid
> leaving it unmapped and unusuable guarantees that there will be no
> confusion when using those kernel methods.
So, I worked that piece into the text to give:
This mapping tells us that the range starting at user ID 0 in
this namespace maps to a range starting at 0 in the (nonexis‐
tent) parent namespace, and the length of the range is the
largest 32-bit unsigned integer. (This deliberately leaves
4294967295 (the 32-bit signed -1 value) unmapped. This is
deliberate: (uid_t) -1 is used in several interfaces (e.g.,
setreuid(2)) as a way to specify "no user ID". Leaving
setreuid(2)) unmapped and unusuable guarantees that there will
be no confusion when using these interfaces.
Okay?
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
next prev parent reply other threads:[~2014-09-09 13:59 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-20 23:36 For review: user_namespace(7) man page Michael Kerrisk (man-pages)
2014-08-20 23:36 ` Michael Kerrisk (man-pages)
[not found] ` <53F5310A.5080503-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-08-22 21:12 ` Serge E. Hallyn
2014-08-22 21:12 ` Serge E. Hallyn
[not found] ` <20140822211215.GA26308-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2014-09-01 16:58 ` Michael Kerrisk (man-pages)
2014-09-01 16:58 ` Michael Kerrisk (man-pages)
2014-08-30 21:53 ` Eric W. Biederman
2014-08-30 21:53 ` Eric W. Biederman
[not found] ` <87d2bhfxvc.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-01 17:31 ` Michael Kerrisk (man-pages)
2014-09-01 17:31 ` Michael Kerrisk (man-pages)
2014-09-01 17:31 ` Michael Kerrisk (man-pages)
[not found] ` <5404AD7F.4070004-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-02 1:05 ` Eric W. Biederman
2014-09-02 1:05 ` Eric W. Biederman
[not found] ` <87sikade6s.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-09 14:00 ` Michael Kerrisk (man-pages)
2014-09-09 14:00 ` Michael Kerrisk (man-pages)
[not found] ` <540F07FD.7010106-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-09 16:16 ` Eric W. Biederman
2014-09-09 16:16 ` Eric W. Biederman
[not found] ` <87bnqon513.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-11 14:40 ` Michael Kerrisk (man-pages)
2014-09-11 14:40 ` Michael Kerrisk (man-pages)
2014-09-09 13:59 ` Michael Kerrisk (man-pages)
2014-09-09 13:59 ` Michael Kerrisk (man-pages)
[not found] ` <540F07C7.9000300-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-09 15:49 ` Eric W. Biederman
2014-09-09 15:49 ` Eric W. Biederman
[not found] ` <87sik0oktt.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-11 14:40 ` Michael Kerrisk (man-pages)
2014-09-11 14:40 ` Michael Kerrisk (man-pages)
2014-09-09 13:59 ` Michael Kerrisk (man-pages) [this message]
2014-09-09 13:59 ` Michael Kerrisk (man-pages)
[not found] ` <540F07CD.3080708-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-09 15:51 ` Eric W. Biederman
2014-09-09 15:51 ` Eric W. Biederman
[not found] ` <87oauookq2.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-11 14:40 ` Michael Kerrisk (man-pages)
2014-09-11 14:40 ` Michael Kerrisk (man-pages)
2014-09-01 20:57 ` Andy Lutomirski
2014-09-01 20:57 ` Andy Lutomirski
[not found] ` <CALCETrX2qwvzmeoVcLFLxEK=1Fv+f0Ri0TouzzvbN_rgDjka4A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-09-09 14:00 ` Michael Kerrisk (man-pages)
2014-09-09 14:00 ` Michael Kerrisk (man-pages)
[not found] ` <540F0810.7030408-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-09 16:05 ` Eric W. Biederman
2014-09-09 16:05 ` Eric W. Biederman
[not found] ` <87ppf4n5ib.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-09 19:26 ` Andy Lutomirski
2014-09-09 19:26 ` Andy Lutomirski
[not found] ` <CALCETrV4WizRXD9JuwibUBbQE9hhNrRDJ3cYyXdhd=OfPziF5g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-09-09 19:39 ` Andy Lutomirski
2014-09-09 19:39 ` Andy Lutomirski
2014-09-11 14:47 ` Michael Kerrisk (man-pages)
2014-09-11 14:47 ` Michael Kerrisk (man-pages)
[not found] ` <5411B5F5.2090500-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-11 15:15 ` Andy Lutomirski
2014-09-11 15:15 ` Andy Lutomirski
[not found] ` <CALCETrXOgCUrrzeJYJ6VoPgR5Rt0HFCrhRC0H7+3XLv1Y+sJ_A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-09-14 2:58 ` Michael Kerrisk (man-pages)
2014-09-14 2:58 ` Michael Kerrisk (man-pages)
2014-09-14 2:58 ` Michael Kerrisk (man-pages)
2014-09-11 14:46 ` Michael Kerrisk (man-pages)
2014-09-11 14:46 ` Michael Kerrisk (man-pages)
2014-09-11 14:46 ` Michael Kerrisk (man-pages)
[not found] ` <5411B5D6.9010201-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-11 15:14 ` Andy Lutomirski
2014-09-11 15:14 ` Andy Lutomirski
[not found] ` <CALCETrV1EtrzfEhS55ToPD5VTbY9VjmmOA6bv2H9PGGQ-G=WGA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-09-14 2:42 ` Michael Kerrisk (man-pages)
2014-09-14 2:42 ` Michael Kerrisk (man-pages)
2014-09-14 2:42 ` Michael Kerrisk (man-pages)
-- strict thread matches above, loose matches on Subject: below --
2014-08-20 23:36 Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=540F07CD.3080708@gmail.com \
--to=mtk.manpages-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=richard.weinberger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.