From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Cc: linux-man <linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
Josh Triplett <josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org>,
stable <stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Kenton Varda <kenton-AuYgBwuPrUQTaNkGU808tA@public.gmane.org>,
LSM
<linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org>,
Casey Schaufler <casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Subject: Re: [PATCH 1/2] proc.5: Document /proc/[pid]/setgroups
Date: Wed, 11 Feb 2015 07:51:08 -0600 [thread overview]
Message-ID: <8761b8lfoz.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CAKgNAkgWnZ=7E4bk3JhzFS88CJ32szYCYcm_Sx166yVuWKhhUA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (Michael Kerrisk's message of "Wed, 11 Feb 2015 09:01:57 +0100")
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
> Hi Eric,
>
> Ping!
>
> Cheers,
>
> Michael
My apologies. You description wasn't wrong but it may be a bit
misleading, explanation below. You will have to figure out how to work
that into your proposed text.
> On 2 February 2015 at 16:36, Michael Kerrisk (man-pages)
> <mtk.manpages@gmail.com> wrote:
>> [Adding Josh to CC in case he has anything to add.]
>>
>> On 12/12/2014 10:54 PM, Eric W. Biederman wrote:
>>>
>>> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
>>> ---
>>> man5/proc.5 | 15 +++++++++++++++
>>> 1 file changed, 15 insertions(+)
>>>
>>> diff --git a/man5/proc.5 b/man5/proc.5
>>> index 96077d0dd195..d661e8cfeac9 100644
>>> --- a/man5/proc.5
>>> +++ b/man5/proc.5
>>> @@ -1097,6 +1097,21 @@ are not available if the main thread has already terminated
>>> .\" Added in 2.6.9
>>> .\" CONFIG_SCHEDSTATS
>>> .TP
>>> +.IR /proc/[pid]/setgroups " (since Linux 3.19-rc1)"
>>> +This file reports
>>> +.BR allow
>>> +if the setgroups system call is allowed in the current user namespace.
>>> +This file reports
>>> +.BR deny
>>> +if the setgroups system call is not allowed in the current user namespace.
>>> +This file may be written to with values of
>>> +.BR allow
>>> +and
>>> +.BR deny
>>> +before
>>> +.IR /proc/[pid]/gid_map
>>> +is written to (enabling setgroups) in a user namespace.
>>> +.TP
>>> .IR /proc/[pid]/smaps " (since Linux 2.6.14)"
>>> This file shows memory consumption for each of the process's mappings.
>>> (The
>>
>> Hi Eric,
>>
>> Thanks for this patch. I applied it, and then tried to work in
>> quite a few other details gleaned from the source code and commit
>> message, and Jon Corbet's article at http://lwn.net/Articles/626665/.
>> Could you please let me know if the following is correct:
It is close but it may be misleading.
>> /proc/[pid]/setgroups (since Linux 3.19)
>> This file displays the string "allow" if processes in
>> the user namespace that contains the process pid are
>> permitted to employ the setgroups(2) system call, and
>> "deny" if setgroups(2) is not permitted in that user
>> namespace.
With the caveat that when gid_map is not set that setgroups is also not
allowed.
>> A privileged process (one with the CAP_SYS_ADMIN capa‐
>> bility in the namespace) may write either of the strings
>> "allow" or "deny" to this file before writing a group ID
>> mapping for this user namespace to the file
>> /proc/[pid]/gid_map. Writing the string "deny" prevents
>> any process in the user namespace from employing set‐
>> groups(2).
Or more succintly. You are allowed to write to /proc/[pid]/setgroups
when calling setgroups is not allowed because gid_map is unset. This
ensures we do not have any transitions from a state where setgroups
is allowed to a state where setgroups is denied. There are only
transitions from setgroups not-allowed to setgroups allowed.
>> The default value of this file in the initial user
>> namespace is "allow".
>>
>> Once /proc/[pid]/gid_map has been written to (which has
>> the effect of enabling setgroups(2) in the user names‐
>> pace), it is no longer possible to deny setgroups(2) by
>> writing to /proc/[pid]/setgroups.
>>
>> A child user namespace inherits the /proc/[pid]/gid_map
>> setting from its parent.
>>
>> If the setgroups file has the value "deny", then the
>> setgroups(2) system call can't subsequently be reenabled
>> (by writing "allow" to the file) in this user namespace.
>> This restriction also propagates down to all child user
>> namespaces of this user namespace.
Eric
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: mtk.manpages@gmail.com
Cc: Linux Containers <containers@lists.linux-foundation.org>,
Josh Triplett <josh@joshtriplett.org>,
Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Linux API <linux-api@vger.kernel.org>,
linux-man <linux-man@vger.kernel.org>,
"linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
LSM <linux-security-module@vger.kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Richard Weinberger <richard@nod.at>,
Kenton Varda <kenton@sandstorm.io>,
stable <stable@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>
Subject: Re: [PATCH 1/2] proc.5: Document /proc/[pid]/setgroups
Date: Wed, 11 Feb 2015 07:51:08 -0600 [thread overview]
Message-ID: <8761b8lfoz.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CAKgNAkgWnZ=7E4bk3JhzFS88CJ32szYCYcm_Sx166yVuWKhhUA@mail.gmail.com> (Michael Kerrisk's message of "Wed, 11 Feb 2015 09:01:57 +0100")
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
> Hi Eric,
>
> Ping!
>
> Cheers,
>
> Michael
My apologies. You description wasn't wrong but it may be a bit
misleading, explanation below. You will have to figure out how to work
that into your proposed text.
> On 2 February 2015 at 16:36, Michael Kerrisk (man-pages)
> <mtk.manpages@gmail.com> wrote:
>> [Adding Josh to CC in case he has anything to add.]
>>
>> On 12/12/2014 10:54 PM, Eric W. Biederman wrote:
>>>
>>> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
>>> ---
>>> man5/proc.5 | 15 +++++++++++++++
>>> 1 file changed, 15 insertions(+)
>>>
>>> diff --git a/man5/proc.5 b/man5/proc.5
>>> index 96077d0dd195..d661e8cfeac9 100644
>>> --- a/man5/proc.5
>>> +++ b/man5/proc.5
>>> @@ -1097,6 +1097,21 @@ are not available if the main thread has already terminated
>>> .\" Added in 2.6.9
>>> .\" CONFIG_SCHEDSTATS
>>> .TP
>>> +.IR /proc/[pid]/setgroups " (since Linux 3.19-rc1)"
>>> +This file reports
>>> +.BR allow
>>> +if the setgroups system call is allowed in the current user namespace.
>>> +This file reports
>>> +.BR deny
>>> +if the setgroups system call is not allowed in the current user namespace.
>>> +This file may be written to with values of
>>> +.BR allow
>>> +and
>>> +.BR deny
>>> +before
>>> +.IR /proc/[pid]/gid_map
>>> +is written to (enabling setgroups) in a user namespace.
>>> +.TP
>>> .IR /proc/[pid]/smaps " (since Linux 2.6.14)"
>>> This file shows memory consumption for each of the process's mappings.
>>> (The
>>
>> Hi Eric,
>>
>> Thanks for this patch. I applied it, and then tried to work in
>> quite a few other details gleaned from the source code and commit
>> message, and Jon Corbet's article at http://lwn.net/Articles/626665/.
>> Could you please let me know if the following is correct:
It is close but it may be misleading.
>> /proc/[pid]/setgroups (since Linux 3.19)
>> This file displays the string "allow" if processes in
>> the user namespace that contains the process pid are
>> permitted to employ the setgroups(2) system call, and
>> "deny" if setgroups(2) is not permitted in that user
>> namespace.
With the caveat that when gid_map is not set that setgroups is also not
allowed.
>> A privileged process (one with the CAP_SYS_ADMIN capa‐
>> bility in the namespace) may write either of the strings
>> "allow" or "deny" to this file before writing a group ID
>> mapping for this user namespace to the file
>> /proc/[pid]/gid_map. Writing the string "deny" prevents
>> any process in the user namespace from employing set‐
>> groups(2).
Or more succintly. You are allowed to write to /proc/[pid]/setgroups
when calling setgroups is not allowed because gid_map is unset. This
ensures we do not have any transitions from a state where setgroups
is allowed to a state where setgroups is denied. There are only
transitions from setgroups not-allowed to setgroups allowed.
>> The default value of this file in the initial user
>> namespace is "allow".
>>
>> Once /proc/[pid]/gid_map has been written to (which has
>> the effect of enabling setgroups(2) in the user names‐
>> pace), it is no longer possible to deny setgroups(2) by
>> writing to /proc/[pid]/setgroups.
>>
>> A child user namespace inherits the /proc/[pid]/gid_map
>> setting from its parent.
>>
>> If the setgroups file has the value "deny", then the
>> setgroups(2) system call can't subsequently be reenabled
>> (by writing "allow" to the file) in this user namespace.
>> This restriction also propagates down to all child user
>> namespaces of this user namespace.
Eric
next prev parent reply other threads:[~2015-02-11 13:51 UTC|newest]
Thread overview: 187+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-29 17:26 [PATCH v2] userns: Disallow setgroups unless the gid_map writer is privileged Andy Lutomirski
[not found] ` <52e0643bd47b1e5c65921d6e00aea1f724bb510a.1417281801.git.luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2014-12-02 12:09 ` Eric W. Biederman
2014-12-02 12:09 ` Eric W. Biederman
[not found] ` <87h9xez20g.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 18:53 ` Andy Lutomirski
2014-12-02 18:53 ` Andy Lutomirski
[not found] ` <CALCETrXOz4C7Tu8mggBtR=k47ZmkuAhinVUxWJSFyS1Ep0HvRw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-02 19:45 ` Eric W. Biederman
2014-12-02 19:45 ` Eric W. Biederman
[not found] ` <87mw75ygwp.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 20:13 ` Andy Lutomirski
2014-12-02 20:13 ` Andy Lutomirski
[not found] ` <CALCETrVfO4sBdZcQiZXsofPZMj7pqKeVbX+4g3dAj6WjUca+1w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-02 20:25 ` [CFT][PATCH 1/3] userns: Avoid problems with negative groups Eric W. Biederman
2014-12-02 20:25 ` Eric W. Biederman
2014-12-02 20:25 ` Eric W. Biederman
[not found] ` <87fvcxyf28.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 20:28 ` [CFT][PATCH 2/3] userns: Add a knob to disable setgroups on a per user namespace basis Eric W. Biederman
2014-12-02 20:28 ` Eric W. Biederman
2014-12-02 20:30 ` [CFT][PATCH 3/3] userns: Unbreak the unprivileged remount tests Eric W. Biederman
2014-12-02 20:30 ` Eric W. Biederman
[not found] ` <874mtdyexp.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 20:30 ` Eric W. Biederman
2014-12-02 21:05 ` [CFT][PATCH 2/3] userns: Add a knob to disable setgroups on a per user namespace basis Andy Lutomirski
2014-12-02 21:05 ` Andy Lutomirski
2014-12-02 21:05 ` Andy Lutomirski
[not found] ` <CALCETrXyC7XPaqj6oe-TmyypOVc_CkZbF6UAAx8YfkyD=gEMOQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-02 21:45 ` Eric W. Biederman
2014-12-02 21:45 ` Eric W. Biederman
2014-12-02 22:17 ` Andy Lutomirski
[not found] ` <CALCETrXkEOiyzpvqtXtk1f4sL+M1Q-Y6rV=K91ez3yv2nb4Y0Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-02 23:07 ` Eric W. Biederman
2014-12-02 23:07 ` Eric W. Biederman
[not found] ` <87388xodlj.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 23:17 ` Andy Lutomirski
2014-12-02 23:17 ` Andy Lutomirski
[not found] ` <CALCETrXWx2-ZejEHmOi7aSoF-qJMRGR5yseeMhuurZwJRrQbUg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-08 22:06 ` [CFT][PATCH 1/7] userns: Document what the invariant required for safe unprivileged mappings Eric W. Biederman
2014-12-08 22:06 ` Eric W. Biederman
2014-12-08 22:06 ` Eric W. Biederman
[not found] ` <87h9x5re41.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:07 ` [CFT][PATCH 2/7] userns: Don't allow setgroups until a gid mapping has been setablished Eric W. Biederman
2014-12-08 22:07 ` Eric W. Biederman
[not found] ` <87bnndre2h.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:11 ` Andy Lutomirski
2014-12-08 22:11 ` Andy Lutomirski
2014-12-08 22:26 ` Eric W. Biederman
[not found] ` <87h9x5ok0h.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:33 ` Andy Lutomirski
2014-12-08 22:33 ` Andy Lutomirski
2014-12-08 22:17 ` Richard Weinberger
2014-12-08 22:17 ` Richard Weinberger
2014-12-08 22:17 ` Richard Weinberger
[not found] ` <5486237D.4060304-/L3Ra7n9ekc@public.gmane.org>
2014-12-08 22:25 ` Andy Lutomirski
2014-12-08 22:25 ` Andy Lutomirski
[not found] ` <CALCETrXSG5QN8J3GtZjLdV6T7j_uaMG=fyTDt27vEK0NpGs9qg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-08 22:27 ` Richard Weinberger
2014-12-08 22:27 ` Richard Weinberger
2014-12-08 22:27 ` Richard Weinberger
[not found] ` <548625E3.6020400-/L3Ra7n9ekc@public.gmane.org>
2014-12-08 22:39 ` Eric W. Biederman
[not found] ` <874mt5ojfh.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:47 ` Andy Lutomirski
2014-12-08 22:47 ` Andy Lutomirski
2014-12-08 22:07 ` [CFT][PATCH 3/7] userns: Don't allow unprivileged creation of gid mappings Eric W. Biederman
2014-12-08 22:07 ` Eric W. Biederman
2014-12-08 22:08 ` [CFT][PATCH 4/7] userns: Check euid no fsuid when establishing an unprivileged uid mapping Eric W. Biederman
2014-12-08 22:08 ` Eric W. Biederman
2014-12-08 22:12 ` Andy Lutomirski
[not found] ` <87y4qhpzfj.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:12 ` Andy Lutomirski
2014-12-08 22:10 ` [CFT][PATCH 5/7] userns: Only allow the creator of the userns unprivileged mappings Eric W. Biederman
2014-12-08 22:10 ` Eric W. Biederman
[not found] ` <87sigppzch.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:15 ` Andy Lutomirski
2014-12-08 22:15 ` Andy Lutomirski
2014-12-08 22:15 ` Andy Lutomirski
2014-12-08 22:11 ` [CFT][PATCH 6/7] userns: Add a knob to disable setgroups on a per user namespace basis Eric W. Biederman
2014-12-08 22:11 ` Eric W. Biederman
[not found] ` <87mw6xpzb0.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:21 ` Andy Lutomirski
2014-12-08 22:21 ` Andy Lutomirski
[not found] ` <CALCETrU-o5mPr1jCaLXDuuF6J2N470zAtx=8Fa-SjF=ZpdE8mQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-08 22:44 ` Eric W. Biederman
2014-12-08 22:44 ` Eric W. Biederman
[not found] ` <87ppbtn4mv.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:48 ` Andy Lutomirski
2014-12-08 22:48 ` Andy Lutomirski
[not found] ` <CALCETrXSScp77BUJR5NSTh5-RnEZ9rqELSGJBeEzgdQ-OtohuQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-08 23:30 ` Eric W. Biederman
2014-12-08 23:30 ` Eric W. Biederman
[not found] ` <87a92xn2io.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 19:31 ` Eric W. Biederman
2014-12-09 19:31 ` Eric W. Biederman
[not found] ` <87r3w8liw4.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 20:36 ` [CFT][PATCH 1/8] userns: Document what the invariant required for safe unprivileged mappings Eric W. Biederman
2014-12-09 20:36 ` Eric W. Biederman
[not found] ` <87iohklfvj.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 20:38 ` [CFT][PATCH 2/8] userns: Don't allow setgroups until a gid mapping has been setablished Eric W. Biederman
2014-12-09 20:38 ` Eric W. Biederman
[not found] ` <87d27slfsw.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 22:49 ` Andy Lutomirski
2014-12-09 22:49 ` Andy Lutomirski
2014-12-09 20:39 ` [CFT][PATCH 3/8] userns: Don't allow unprivileged creation of gid mappings Eric W. Biederman
2014-12-09 20:39 ` Eric W. Biederman
[not found] ` <874mt4lfr6.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 23:00 ` Andy Lutomirski
2014-12-09 23:00 ` Andy Lutomirski
2014-12-09 20:39 ` [CFT][PATCH 4/8] userns: Check euid no fsuid when establishing an unprivileged uid mapping Eric W. Biederman
2014-12-09 20:39 ` Eric W. Biederman
2014-12-09 20:41 ` [CFT][PATCH 5/8] userns: Only allow the creator of the userns unprivileged mappings Eric W. Biederman
2014-12-09 20:41 ` Eric W. Biederman
2014-12-09 20:41 ` [CFT][PATCH 6/8] userns: Rename id_map_mutex to userns_state_mutex Eric W. Biederman
2014-12-09 20:41 ` Eric W. Biederman
[not found] ` <87mw6wk12i.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 22:49 ` Andy Lutomirski
2014-12-09 22:49 ` Andy Lutomirski
2014-12-09 20:42 ` [CFT][PATCH 7/8] userns: Add a knob to disable setgroups on a per user namespace basis Eric W. Biederman
2014-12-09 20:42 ` Eric W. Biederman
2014-12-09 20:42 ` Eric W. Biederman
2014-12-09 22:28 ` Andy Lutomirski
[not found] ` <CALCETrVfKiXuY=KY_=nHpkTyLWgpy_3DK=4Mr2mhpyX9z1TzrA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-10 0:04 ` Eric W.Biederman
2014-12-10 0:21 ` Andy Lutomirski
[not found] ` <CALCETrWpzvNm=fjOa3_+4QOqYP8qZUJvQAd6AsRZ71xyHZQRCg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-10 22:33 ` Eric W. Biederman
[not found] ` <87wq5zf83t.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-12 1:09 ` Eric W. Biederman
[not found] ` <87iohh3c9c.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-12 1:30 ` Andy Lutomirski
2014-12-12 1:30 ` Andy Lutomirski
2014-12-12 1:31 ` [CFT][PATCH v6] " Eric W. Biederman
[not found] ` <8761dh3b7k.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-12 21:52 ` [PATCH 0/2] Documenting user namespace changes Eric W. Biederman
2014-12-12 21:54 ` [PATCH 1/2] proc.5: Document /proc/[pid]/setgroups Eric W. Biederman
2014-12-12 21:54 ` Eric W. Biederman
2015-02-02 15:36 ` Michael Kerrisk (man-pages)
2015-02-02 15:36 ` Michael Kerrisk (man-pages)
[not found] ` <54CF9995.1050409-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-02-11 8:01 ` Michael Kerrisk (man-pages)
2015-02-11 8:01 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgWnZ=7E4bk3JhzFS88CJ32szYCYcm_Sx166yVuWKhhUA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-02-11 13:51 ` Eric W. Biederman [this message]
2015-02-11 13:51 ` Eric W. Biederman
[not found] ` <8761b8lfoz.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-02-12 13:53 ` Michael Kerrisk (man-pages)
2015-02-12 13:53 ` Michael Kerrisk (man-pages)
[not found] ` <54DCB059.2020305-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-02-21 7:57 ` Michael Kerrisk (man-pages)
2015-02-21 7:57 ` Michael Kerrisk (man-pages)
2015-03-03 11:39 ` Michael Kerrisk (man-pages)
2015-03-03 11:39 ` Michael Kerrisk (man-pages)
2015-03-03 11:39 ` Michael Kerrisk (man-pages)
[not found] ` <87vblg1qme.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-02-02 15:36 ` Michael Kerrisk (man-pages)
[not found] ` <878uicy1r9.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-12 21:54 ` [PATCH 2/2] user_namespaces.7: Update the documention to reflect the fixes for negative groups Eric W. Biederman
2014-12-12 21:54 ` Eric W. Biederman
[not found] ` <87ppbo1ql4.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-02-02 15:37 ` Michael Kerrisk (man-pages)
2015-02-02 15:37 ` Michael Kerrisk (man-pages)
2015-02-11 8:02 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkhmwK02DJQV84S+dEdrUDjzRuR32j+2gcKkgeDq8jTkuQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-02-11 14:01 ` Eric W. Biederman
2015-02-11 14:01 ` Eric W. Biederman
2015-02-11 14:01 ` Eric W. Biederman
[not found] ` <87egpwk0n3.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-02-12 10:11 ` Michael Kerrisk (man-pages)
2015-02-12 10:11 ` Michael Kerrisk (man-pages)
2015-02-12 10:11 ` Michael Kerrisk (man-pages)
[not found] ` <54CF99BF.8050401-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-02-11 8:02 ` Michael Kerrisk (man-pages)
2015-02-02 15:37 ` Michael Kerrisk (man-pages)
2015-02-02 21:31 ` Alban Crequy
2015-02-02 21:31 ` Alban Crequy
[not found] ` <CAMXgnP7phuYTko6fHnxjJTi=HRdoa32uH6dp8DyD9uWPWr2kAg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-03-04 14:00 ` Michael Kerrisk (man-pages)
2015-03-04 14:00 ` Michael Kerrisk (man-pages)
2015-03-04 14:00 ` Michael Kerrisk (man-pages)
[not found] ` <971ad3f6-90fd-4e3f-916c-8988af3c826d-2ueSQiBKiTY7tOexoI0I+QC/G2K4zDHf@public.gmane.org>
2014-12-10 0:21 ` [CFT][PATCH 7/8] userns: Add a knob to disable setgroups on a per user namespace basis Andy Lutomirski
[not found] ` <87fvcok11h.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 22:28 ` Andy Lutomirski
2014-12-09 20:43 ` [CFT][PATCH 8/8] userns: Allow setting gid_maps without privilege when setgroups is disabled Eric W. Biederman
2014-12-09 20:43 ` Eric W. Biederman
2014-12-10 16:39 ` [CFT] Can I get some Tested-By's on this series? Eric W. Biederman
2014-12-10 16:39 ` Eric W. Biederman
2014-12-10 16:39 ` Eric W. Biederman
[not found] ` <87mw6vh31e.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-10 22:48 ` Serge Hallyn
2014-12-10 22:48 ` Serge Hallyn
2014-12-10 22:50 ` Richard Weinberger
2014-12-10 22:50 ` Richard Weinberger
[not found] ` <5488CE4D.1000606-/L3Ra7n9ekc@public.gmane.org>
2014-12-10 23:19 ` Eric W. Biederman
2014-12-10 23:19 ` Eric W. Biederman
[not found] ` <87r3w7f5yc.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-11 19:27 ` Richard Weinberger
2014-12-11 19:27 ` Richard Weinberger
2014-12-12 6:56 ` Chen, Hanxiao
2014-12-12 6:56 ` Chen, Hanxiao
2014-12-12 6:56 ` Chen, Hanxiao
2014-12-13 22:31 ` serge
2014-12-13 22:31 ` serge-A9i7LUbDfNHQT0dZR+AlfA
[not found] ` <87lhmcy2et.fsf@x220.int.ebiederm.org>
[not found] ` <20141212220840.GF22091@castiana.ipv6.teksavvy.com>
[not found] ` <8761dgze56.fsf@x220.int.ebiederm.org>
[not found] ` <8761dgze56.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-15 19:38 ` Serge Hallyn
2014-12-15 19:38 ` Serge Hallyn
2014-12-15 19:38 ` Serge Hallyn
2014-12-15 20:11 ` Eric W. Biederman
2014-12-15 20:11 ` Eric W. Biederman
[not found] ` <8761dcwu40.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-15 20:49 ` Serge Hallyn
2014-12-15 20:49 ` Serge Hallyn
2014-12-15 20:49 ` Serge Hallyn
2014-12-15 20:49 ` Serge Hallyn
2014-12-16 2:05 ` Andy Lutomirski
2014-12-16 2:05 ` Andy Lutomirski
[not found] ` <CALCETrWXp3eq2O068NZcd+KPCg+N2y0T57Q0JzHcZLjzq+mXLA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-16 9:23 ` Richard Weinberger
2014-12-16 9:23 ` Richard Weinberger
2014-12-16 9:23 ` Richard Weinberger
2014-12-08 23:30 ` [CFT][PATCH 6/7] userns: Add a knob to disable setgroups on a per user namespace basis Eric W. Biederman
2014-12-08 22:14 ` [CFT][PATCH 7/7] userns: Allow setting gid_maps without privilege when setgroups is disabled Eric W. Biederman
2014-12-08 22:14 ` Eric W. Biederman
[not found] ` <87egs9pz5u.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:26 ` Andy Lutomirski
2014-12-08 22:26 ` Andy Lutomirski
[not found] ` <87a935u3nj.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 22:17 ` [CFT][PATCH 2/3] userns: Add a knob to disable setgroups on a per user namespace basis Andy Lutomirski
2014-12-02 20:58 ` [CFT][PATCH 1/3] userns: Avoid problems with negative groups Andy Lutomirski
2014-12-02 20:58 ` Andy Lutomirski
2014-12-02 20:58 ` Andy Lutomirski
[not found] ` <CALCETrXsQbCeQBUo_FrXNVS42mBEFXz1jku9TicVbFhxTmNGmA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-02 21:26 ` Eric W. Biederman
2014-12-02 21:26 ` Eric W. Biederman
[not found] ` <87bnnlvj43.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 22:09 ` Andy Lutomirski
2014-12-02 22:09 ` Andy Lutomirski
[not found] ` <CALCETrUJ9Qk553YSsYkjaeE-Qw0u_Pt1eoODUPX-udsO8kf14w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-02 22:48 ` Eric W. Biederman
2014-12-02 22:48 ` Eric W. Biederman
[not found] ` <87wq69pt0q.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 22:56 ` Andy Lutomirski
2014-12-02 22:56 ` Andy Lutomirski
2014-12-02 18:53 ` [PATCH v2] userns: Disallow setgroups unless the gid_map writer is privileged Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8761b8lfoz.fsf@x220.int.ebiederm.org \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=kenton-AuYgBwuPrUQTaNkGU808tA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=richard-/L3Ra7n9ekc@public.gmane.org \
--cc=stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.