From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael Kerrisk (man-pages)" Subject: Re: For review: user_namespace(7) man page Date: Tue, 09 Sep 2014 06:59:41 -0700 Message-ID: <540F07CD.3080708@gmail.com> References: <53F5310A.5080503@gmail.com> <87d2bhfxvc.fsf@x220.int.ebiederm.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <87d2bhfxvc.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Eric W. Biederman" Cc: "linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , richard.weinberger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, lkml , Andy Lutomirski , mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org List-Id: containers.vger.kernel.org T24gMDgvMzAvMjAxNCAwMjo1MyBQTSwgRXJpYyBXLiBCaWVkZXJtYW4gd3JvdGU6Cj4gIk1pY2hh ZWwgS2VycmlzayAobWFuLXBhZ2VzKSIgPG10ay5tYW5wYWdlc0BnbWFpbC5jb20+IHdyaXRlczoK Wy4uLl0KCgo+PiAgICAgICAgVGhlIGluaXRpYWwgdXNlciBuYW1lc3BhY2UgaGFzIG5vIHBhcmVu dCBuYW1lc3BhY2UsIGJ1dCwgZm9yIGNvbuKAkAo+PiAgICAgICAgc2lzdGVuY3ksIHRoZSBrZXJu ZWwgcHJvdmlkZXMgZHVtbXkgdXNlciAgYW5kICBncm91cCAgSUQgIG1hcHBpbmcKPj4gICAgICAg IGZpbGVzICBmb3IgIHRoaXMgbmFtZXNwYWNlLiAgTG9va2luZyBhdCB0aGUgdWlkX21hcCBmaWxl IChnaWRfbWFwCj4+ICAgICAgICBpcyB0aGUgc2FtZSkgZnJvbSBhIHNoZWxsIGluIHRoZSBpbml0 aWFsIG5hbWVzcGFjZSBzaG93czoKPj4KPj4gICAgICAgICAgICAkIGNhdCAvcHJvYy8kJC91aWRf bWFwCj4+ICAgICAgICAgICAgICAgICAgICAgMCAgICAgICAgICAwIDQyOTQ5NjcyOTUKPj4KPj4g ICAgICAgIFRoaXMgbWFwcGluZyB0ZWxscyB1cyB0aGF0IHRoZSByYW5nZSBzdGFydGluZyBhdCAg dXNlciAgSUQgIDAgIGluCj4+ICAgICAgICB0aGlzIG5hbWVzcGFjZSBtYXBzIHRvIGEgcmFuZ2Ug c3RhcnRpbmcgYXQgMCBpbiB0aGUgKG5vbmV4aXN0ZW50KQo+PiAgICAgICAgcGFyZW50IG5hbWVz cGFjZSwgYW5kIHRoZSBsZW5ndGggb2YgIHRoZSAgcmFuZ2UgIGlzICB0aGUgIGxhcmdlc3QKPj4g ICAgICAgIDMyLWJpdCB1bnNpZ25lZCBpbnRlZ2VyLgo+IAo+IFdoaWNoIGRlbGliZXJhdGVseSBs ZWF2ZXMgNDI5NDk2NzI5NSAzMmJpdCAoLTEpIHVubWFwcGVkLiAgKHVpZF90KS0xIGlzCj4gdXNl ZCBpbiBzZXZlcmFsIGludGVyZmFjZXMgKGxpa2Ugc2V0cmV1aWQpIGFzIGEgd2F5IHRvIHNwZWNp Znkgbm8gdWlkCj4gbGVhdmluZyBpdCB1bm1hcHBlZCBhbmQgdW51c3VhYmxlIGd1YXJhbnRlZXMg dGhhdCB0aGVyZSB3aWxsIGJlIG5vCj4gY29uZnVzaW9uIHdoZW4gdXNpbmcgdGhvc2Uga2VybmVs IG1ldGhvZHMuCgpTbywgSSB3b3JrZWQgdGhhdCBwaWVjZSBpbnRvIHRoZSB0ZXh0IHRvIGdpdmU6 CgogICAgICAgVGhpcyAgbWFwcGluZyAgdGVsbHMgdXMgdGhhdCB0aGUgcmFuZ2Ugc3RhcnRpbmcg YXQgdXNlciBJRCAwIGluCiAgICAgICB0aGlzIG5hbWVzcGFjZSBtYXBzIHRvIGEgcmFuZ2Ugc3Rh cnRpbmcgYXQgMCBpbiAgdGhlICAobm9uZXhpc+KAkAogICAgICAgdGVudCkgIHBhcmVudCAgbmFt ZXNwYWNlLCAgYW5kICB0aGUgIGxlbmd0aCBvZiB0aGUgcmFuZ2UgaXMgdGhlCiAgICAgICBsYXJn ZXN0IDMyLWJpdCB1bnNpZ25lZCAgaW50ZWdlci4gICAoVGhpcyAgZGVsaWJlcmF0ZWx5ICBsZWF2 ZXMKICAgICAgIDQyOTQ5NjcyOTUgICh0aGUgIDMyLWJpdCAgc2lnbmVkICAtMSAgdmFsdWUpIHVu bWFwcGVkLiAgVGhpcyBpcwogICAgICAgZGVsaWJlcmF0ZTogKHVpZF90KSAtMSBpcyB1c2VkICBp biAgc2V2ZXJhbCAgaW50ZXJmYWNlcyAgKGUuZy4sCiAgICAgICBzZXRyZXVpZCgyKSkgIGFzICBh ICB3YXkgIHRvICBzcGVjaWZ5ICAibm8gIHVzZXIgIElEIi4gIExlYXZpbmcKICAgICAgIHNldHJl dWlkKDIpKSB1bm1hcHBlZCBhbmQgdW51c3VhYmxlIGd1YXJhbnRlZXMgdGhhdCB0aGVyZSAgd2ls bAogICAgICAgYmUgbm8gY29uZnVzaW9uIHdoZW4gdXNpbmcgdGhlc2UgaW50ZXJmYWNlcy4KCk9r YXk/CgpDaGVlcnMsCgpNaWNoYWVsCgoKLS0gCk1pY2hhZWwgS2VycmlzawpMaW51eCBtYW4tcGFn ZXMgbWFpbnRhaW5lcjsgaHR0cDovL3d3dy5rZXJuZWwub3JnL2RvYy9tYW4tcGFnZXMvCkxpbnV4 L1VOSVggU3lzdGVtIFByb2dyYW1taW5nIFRyYWluaW5nOiBodHRwOi8vbWFuNy5vcmcvdHJhaW5p bmcvCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCkNvbnRh aW5lcnMgbWFpbGluZyBsaXN0CkNvbnRhaW5lcnNAbGlzdHMubGludXgtZm91bmRhdGlvbi5vcmcK aHR0cHM6Ly9saXN0cy5saW51eGZvdW5kYXRpb24ub3JnL21haWxtYW4vbGlzdGluZm8vY29udGFp bmVycw== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756816AbaIIOAz (ORCPT ); Tue, 9 Sep 2014 10:00:55 -0400 Received: from mail-pd0-f175.google.com ([209.85.192.175]:56828 "EHLO mail-pd0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752883AbaIIOAw (ORCPT ); Tue, 9 Sep 2014 10:00:52 -0400 Message-ID: <540F07CD.3080708@gmail.com> Date: Tue, 09 Sep 2014 06:59:41 -0700 From: "Michael Kerrisk (man-pages)" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0 MIME-Version: 1.0 To: "Eric W. Biederman" CC: mtk.manpages@gmail.com, lkml , "linux-man@vger.kernel.org" , containers@lists.linux-foundation.org, Andy Lutomirski , richard.weinberger@gmail.com, "Serge E. Hallyn" Subject: Re: For review: user_namespace(7) man page References: <53F5310A.5080503@gmail.com> <87d2bhfxvc.fsf@x220.int.ebiederm.org> In-Reply-To: <87d2bhfxvc.fsf@x220.int.ebiederm.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08/30/2014 02:53 PM, Eric W. Biederman wrote: > "Michael Kerrisk (man-pages)" writes: [...] >> The initial user namespace has no parent namespace, but, for con‐ >> sistency, the kernel provides dummy user and group ID mapping >> files for this namespace. Looking at the uid_map file (gid_map >> is the same) from a shell in the initial namespace shows: >> >> $ cat /proc/$$/uid_map >> 0 0 4294967295 >> >> This mapping tells us that the range starting at user ID 0 in >> this namespace maps to a range starting at 0 in the (nonexistent) >> parent namespace, and the length of the range is the largest >> 32-bit unsigned integer. > > Which deliberately leaves 4294967295 32bit (-1) unmapped. (uid_t)-1 is > used in several interfaces (like setreuid) as a way to specify no uid > leaving it unmapped and unusuable guarantees that there will be no > confusion when using those kernel methods. So, I worked that piece into the text to give: This mapping tells us that the range starting at user ID 0 in this namespace maps to a range starting at 0 in the (nonexis‐ tent) parent namespace, and the length of the range is the largest 32-bit unsigned integer. (This deliberately leaves 4294967295 (the 32-bit signed -1 value) unmapped. This is deliberate: (uid_t) -1 is used in several interfaces (e.g., setreuid(2)) as a way to specify "no user ID". Leaving setreuid(2)) unmapped and unusuable guarantees that there will be no confusion when using these interfaces. Okay? Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/