From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Cc: Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
Subject: Re: [PATCH 2/4] clone.2: Describe the user namespace
Date: Tue, 01 Jan 2013 01:45:36 -0800 [thread overview]
Message-ID: <87zk0t44ov.fsf@xmission.com> (raw)
In-Reply-To: <CAKgNAkgPET9jex1DO=1Z3HRQqO_WVD8qmG-UaH1DQB6wDGqO5A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (Michael Kerrisk's message of "Tue, 1 Jan 2013 10:30:17 +0100")
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
> Hi Eric,
>
> On Thu, Dec 27, 2012 at 6:20 PM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>
>>> Hi Eric,
>>>
>>> On Tue, Nov 27, 2012 at 1:46 AM, Eric W. Biederman
>>> <ebiederm@xmission.com> wrote:
>>>>
>>>> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
>>>> ---
>>>> man2/clone.2 | 39 +++++++++++++++++++++++++++++++++++++++
>>>> 1 files changed, 39 insertions(+), 0 deletions(-)
>>>>
>>>> diff --git a/man2/clone.2 b/man2/clone.2
>>>> index 0582057..4566677 100644
>>>> --- a/man2/clone.2
>>>> +++ b/man2/clone.2
>>>> @@ -366,6 +366,45 @@ in the same
>>>> .BR clone ()
>>>> call.
>>>> .TP
>>>> +.BR CLONE_NEWUSER " (since Linux 3.6)"
>>>
>>> Why "since Linux 3.6"? As fas as I can see, CLONE_NEWUSER first gained
>>> some meaning in 2.6.29.
>>
>> Looking at it where I have said 3.6 that is wrong. I meant 3.5.
>
> Okay.
>
>> I think I made the same mistake in one or two other manpages. Nothing
>> was merged in 3.6 unfortunately.
>
> I think the other cases have been fixed by now.
>
>> My intent was these are the semantics of user namespaces since 3.5,
>> when my rework/refocusing of them was merged.
>>
>> Since 3.5 all that has really happened with user namespaces is the
>> uid/gid to kuid/kgid conversion, permission checks have been relaxed,
>> and a few bugs have been fixed.
>>
>> 3.8 is huge from a usability standpoint. 3.8 is huge because setns(),
>> and unshare() are now complete from a namespace perspective, and because
>> enough permission checks have been relaxed in user namespaces that you
>> can really start using them.
>>
>> But semantically from a user namespace perspective nothing really has
>> changed in 3.8.
>>
> [...]
>
>>> I reworked your text somewhat. Could you please review the following:
>>>
>>> [[
>>> CLONE_NEWUSER
>>> (This flag first became meaningful for clone() in Linux
>>> 2.6.29, but the implementation of user namespaces was
>>> only completed in Linux 3.8.)
>>
>> Long rant about 2.6.29 vs 3.8 above. I think what we need to say is:
>>
>> (This flag first became meaningful for clone() in Linux
>> 2.6.29, the current semantics were merged present in
>> 3.5, and user namespaces only really became usable in 3.8.)
>
> Yup. I've done something like that now.
>
>>> If CLONE_NEWUSER is set,
>>> then create the process in a new user namespace. If
>>> this flag is not set, then (as with fork(2)) the process
>>> is created in the same user namespace as the calling
>>> process.
>>>
>>> A user namespace provides an isolated environment for
>>> security related identifiers, in particular, user IDs,
>>> group IDs, keys (see keyctl(2)), and capabilities.
>>>
>>> When a user namespace is created, it starts out without
>>> a mapping of user IDs (group IDs) to the parent user
>>> namespace. The desired mapping of user IDs (group IDs)
>>> to the parent user namespace may be set by writing into
>>> /proc/[pid]/uid_map (/proc/[pid]/gid_map); see proc(5).
>>
>> /proc/[pid]/projid_map deserves a mention. Not that
>> I am a fan of project is or that xfs where the are
>> implemented has been converted yet but....
>
> Would you be able to send a patch documenting this in proc(5)?
Sure. I don't know why I didn't mention projid in my earlier patch.
Same story fewer permission checks. Silly me.
>>> The first process in a user namespace starts out with a
>>> complete set of capabilities with respect to the new
>>> user namespace.
>>>
>>> System calls that return user IDs (group IDs) will
>>> return either the user ID (group ID) mapped into the
>>> current user namespace if there is a mapping, or the
>>> overflow user ID (group ID); the default value for the
>>> overflow user ID (group ID) is 65534. See the descrip‐
>>> tions of /proc/sys/kernel/overflowuid and /proc/sys/ker‐
>>> nel/overflowgid in proc(5).
>>>
>>> Starting with Linux 3.8, no privileges are needed to
>>> create a user namespace, and mount, PID, IPC, net, and
>>> UTS namespaces can be created with just the
>>> CAP_SYS_ADMIN capability in the caller's user namespace.
>>>
>>> Over the years, there have been a lot of features that
>>> have been added to the Linux kernel that are only avail‐
>>> able to privileged users because of their potential to
>>> confuse set-user-ID-root applications. In general, it
>>> becomes safe to allow the root user in a user namespace
>>> to use those features because it is impossible, while in
>>> a user namespace, to gain more privilege than the root
>>> user of a user namespace has.
>>
>> I don't have any problems with this bit of text.
>>
>> It occurs to me that what is going on with capabilities and user
>> namespaces needs to be documented better. There was a minor bug with
>> them this release cycle and I realized while the current definition
>> makes sense and isn't hard to understand in general. In detail the
>> interaction of capabilities and user namespaces are hard to describe.
>>
>> I think capabilities and user namespaces are the work of a future patch
>> however.
>
> Okay. So, below, a new iteration of the text. Could you please check
> it over, and note any errors to be fixed or improvements to be made.
>
> Thanks,
>
> Michael
>
> CLONE_NEWUSER
> (This flag first became meaningful for clone() in Linux
> 2.6.23, the current clone() semantics were merged in
> Linux 3.5, and the final pieces to make the user names‐
> paces completely usable were merged in Linux 3.8.)
>
> If CLONE_NEWUSER is set, then create the process in a
> new user namespace. If this flag is not set, then (as
> with fork(2)) the process is created in the same user
> namespace as the calling process.
>
> A user namespace provides an isolated environment for
> security related identifiers, in particular, user IDs,
> group IDs, keys (see keyctl(2)), and capabilities.
>
> When a user namespace is created, it starts out without
> a mapping of user IDs (group IDs) to the parent user
> namespace. The desired mapping of user IDs (group IDs)
> to the parent user namespace may be set by writing into
> /proc/[pid]/uid_map (/proc/[pid]/gid_map); see proc(5).
>
> The first process in a user namespace starts out with a
> complete set of capabilities with respect to the new
> user namespace.
>
> System calls that return user IDs (group IDs) will
> return either the user ID (group ID) mapped into the
> current user namespace if there is a mapping, or the
> overflow user ID (group ID); the default value for the
> overflow user ID (group ID) is 65534. See the descrip‐
> tions of /proc/sys/kernel/overflowuid and /proc/sys/ker‐
> nel/overflowgid in proc(5).
>
> Use of this flag requires a kernel configured with the
> CONFIG_USER_NS option. Before Linux 3.8, use of
> CLONE_NEWUSER required that the caller have three capa‐
> bilities: CAP_SYS_ADMIN, CAP_SETUID, and CAP_SETGID.
> Starting with Linux 3.8, no privileges are needed to
> create a user namespace, and mount, PID, IPC, net, and
> UTS namespaces can be created with just the
> CAP_SYS_ADMIN capability in the caller's user namespace.
>
> Over the years, there have been a lot of features that
> have been added to the Linux kernel that are only avail‐
> able to privileged users because of their potential to
> confuse set-user-ID-root applications. In general, it
> becomes safe to allow the root user in a user namespace
> to use those features because it is impossible, while in
> a user namespace, to gain more privilege than the root
> user of a user namespace has.
I don't see anything wrong with that text.
Happy New Year.
Eric
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
next prev parent reply other threads:[~2013-01-01 9:45 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-26 22:57 [PATCH 0/4] namespace man page updates for 3.8 Eric W. Biederman
[not found] ` <87a9u4rmz0.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-27 0:46 ` [PATCH 1/4] proc.5: Document /proc/[pid]/uid_map and /proc/[pid]/gid_map Eric W. Biederman
[not found] ` <874nkbrhyv.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 9:03 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkixXmtvQUbwyv=a8mU=gdf-x+w-ou_4N=cNaau+hVoy4Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-27 16:58 ` Eric W. Biederman
[not found] ` <87obhfxwhb.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-28 19:20 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkjs9T-s8SG-EgTT0O-Uj8S98Q_zfnMqnZ1ROrcYqh7Z5w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-28 21:20 ` Eric W. Biederman
[not found] ` <87vcbldgbj.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01 9:37 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkjf=KS5FnP0L-TPTCjQuTDAMs-N4cadAP89L4Mb3KubzQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01 10:12 ` Eric W. Biederman
[not found] ` <87r4m51abp.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-14 8:59 ` Michael Kerrisk (man-pages)
2012-12-27 16:58 ` Eric W. Biederman
2012-12-27 17:23 ` Eric W. Biederman
[not found] ` <87licjv276.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 18:39 ` Michael Kerrisk (man-pages)
2012-12-27 18:39 ` Michael Kerrisk (man-pages)
2012-12-27 17:23 ` Eric W. Biederman
2012-12-27 9:03 ` Michael Kerrisk (man-pages)
2012-11-27 0:46 ` [PATCH 2/4] clone.2: Describe the user namespace Eric W. Biederman
2012-11-27 0:46 ` Eric W. Biederman
[not found] ` <87y5hnq3d5.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 10:16 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgXWp49wXKom9hMm9fajKVOAwOmFzPdKWBesbBhfZEssA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-27 17:20 ` Eric W. Biederman
[not found] ` <87r4mbv2c9.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01 9:30 ` Michael Kerrisk (man-pages)
2013-01-01 9:30 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgPET9jex1DO=1Z3HRQqO_WVD8qmG-UaH1DQB6wDGqO5A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01 9:45 ` Eric W. Biederman [this message]
2012-12-27 17:47 ` Eric W. Biederman
[not found] ` <87sj6rs7zc.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01 9:29 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgRQXn0-x6CXxvW94eeG19dOAOEx78iNC0+w08uX+Sg1w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01 9:39 ` Eric W. Biederman
[not found] ` <87a9st5jj4.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-07 8:33 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkggMKib5v4ND9UR1jH=CrK-viM5hhfmc0Rw=mP5GbenSg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-07 8:59 ` Eric W. Biederman
2013-01-07 8:59 ` Eric W. Biederman
2013-01-07 8:33 ` Michael Kerrisk (man-pages)
2013-01-01 9:39 ` Eric W. Biederman
2012-11-27 0:47 ` [PATCH 3/4] proc.5: Document the proc files for the user, mount, and pid namespaces Eric W. Biederman
[not found] ` <87pq2zq3b6.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 10:28 ` Michael Kerrisk (man-pages)
2012-11-27 0:48 ` [PATCH 4/4] setns.2: Document the pid, user, and mount namespace support Eric W. Biederman
[not found] ` <87k3t7q39u.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 11:08 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkiaw5L_oNE8NENjmoBS8Hq_uj+iaEdhyXc1+hje4HdnNQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-27 17:40 ` Eric W. Biederman
[not found] ` <87bodftmv0.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01 9:30 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkjJR02rKOBh98n7HJwXqAwywHY=Ef35t9tW7wOuyo86NQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01 9:58 ` Eric W. Biederman
[not found] ` <87mwwt2pj8.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-07 9:51 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkggEOV0dXVzr4Zf3n_-it5SXfvjJ1ooYxiVNWaYzQgRLg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-07 23:58 ` Eric W. Biederman
2013-01-07 23:58 ` Eric W. Biederman
2012-12-27 11:08 ` Michael Kerrisk (man-pages)
2012-11-27 0:48 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zk0t44ov.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.