From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Cc: Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
Subject: Re: [PATCH 2/4] clone.2: Describe the user namespace
Date: Tue, 01 Jan 2013 01:45:36 -0800 [thread overview]
Message-ID: <87zk0t44ov.fsf@xmission.com> (raw)
In-Reply-To: <CAKgNAkgPET9jex1DO=1Z3HRQqO_WVD8qmG-UaH1DQB6wDGqO5A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (Michael Kerrisk's message of "Tue, 1 Jan 2013 10:30:17 +0100")
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
> Hi Eric,
>
> On Thu, Dec 27, 2012 at 6:20 PM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>
>>> Hi Eric,
>>>
>>> On Tue, Nov 27, 2012 at 1:46 AM, Eric W. Biederman
>>> <ebiederm@xmission.com> wrote:
>>>>
>>>> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
>>>> ---
>>>> man2/clone.2 | 39 +++++++++++++++++++++++++++++++++++++++
>>>> 1 files changed, 39 insertions(+), 0 deletions(-)
>>>>
>>>> diff --git a/man2/clone.2 b/man2/clone.2
>>>> index 0582057..4566677 100644
>>>> --- a/man2/clone.2
>>>> +++ b/man2/clone.2
>>>> @@ -366,6 +366,45 @@ in the same
>>>> .BR clone ()
>>>> call.
>>>> .TP
>>>> +.BR CLONE_NEWUSER " (since Linux 3.6)"
>>>
>>> Why "since Linux 3.6"? As fas as I can see, CLONE_NEWUSER first gained
>>> some meaning in 2.6.29.
>>
>> Looking at it where I have said 3.6 that is wrong. I meant 3.5.
>
> Okay.
>
>> I think I made the same mistake in one or two other manpages. Nothing
>> was merged in 3.6 unfortunately.
>
> I think the other cases have been fixed by now.
>
>> My intent was these are the semantics of user namespaces since 3.5,
>> when my rework/refocusing of them was merged.
>>
>> Since 3.5 all that has really happened with user namespaces is the
>> uid/gid to kuid/kgid conversion, permission checks have been relaxed,
>> and a few bugs have been fixed.
>>
>> 3.8 is huge from a usability standpoint. 3.8 is huge because setns(),
>> and unshare() are now complete from a namespace perspective, and because
>> enough permission checks have been relaxed in user namespaces that you
>> can really start using them.
>>
>> But semantically from a user namespace perspective nothing really has
>> changed in 3.8.
>>
> [...]
>
>>> I reworked your text somewhat. Could you please review the following:
>>>
>>> [[
>>> CLONE_NEWUSER
>>> (This flag first became meaningful for clone() in Linux
>>> 2.6.29, but the implementation of user namespaces was
>>> only completed in Linux 3.8.)
>>
>> Long rant about 2.6.29 vs 3.8 above. I think what we need to say is:
>>
>> (This flag first became meaningful for clone() in Linux
>> 2.6.29, the current semantics were merged present in
>> 3.5, and user namespaces only really became usable in 3.8.)
>
> Yup. I've done something like that now.
>
>>> If CLONE_NEWUSER is set,
>>> then create the process in a new user namespace. If
>>> this flag is not set, then (as with fork(2)) the process
>>> is created in the same user namespace as the calling
>>> process.
>>>
>>> A user namespace provides an isolated environment for
>>> security related identifiers, in particular, user IDs,
>>> group IDs, keys (see keyctl(2)), and capabilities.
>>>
>>> When a user namespace is created, it starts out without
>>> a mapping of user IDs (group IDs) to the parent user
>>> namespace. The desired mapping of user IDs (group IDs)
>>> to the parent user namespace may be set by writing into
>>> /proc/[pid]/uid_map (/proc/[pid]/gid_map); see proc(5).
>>
>> /proc/[pid]/projid_map deserves a mention. Not that
>> I am a fan of project is or that xfs where the are
>> implemented has been converted yet but....
>
> Would you be able to send a patch documenting this in proc(5)?
Sure. I don't know why I didn't mention projid in my earlier patch.
Same story fewer permission checks. Silly me.
>>> The first process in a user namespace starts out with a
>>> complete set of capabilities with respect to the new
>>> user namespace.
>>>
>>> System calls that return user IDs (group IDs) will
>>> return either the user ID (group ID) mapped into the
>>> current user namespace if there is a mapping, or the
>>> overflow user ID (group ID); the default value for the
>>> overflow user ID (group ID) is 65534. See the descrip‐
>>> tions of /proc/sys/kernel/overflowuid and /proc/sys/ker‐
>>> nel/overflowgid in proc(5).
>>>
>>> Starting with Linux 3.8, no privileges are needed to
>>> create a user namespace, and mount, PID, IPC, net, and
>>> UTS namespaces can be created with just the
>>> CAP_SYS_ADMIN capability in the caller's user namespace.
>>>
>>> Over the years, there have been a lot of features that
>>> have been added to the Linux kernel that are only avail‐
>>> able to privileged users because of their potential to
>>> confuse set-user-ID-root applications. In general, it
>>> becomes safe to allow the root user in a user namespace
>>> to use those features because it is impossible, while in
>>> a user namespace, to gain more privilege than the root
>>> user of a user namespace has.
>>
>> I don't have any problems with this bit of text.
>>
>> It occurs to me that what is going on with capabilities and user
>> namespaces needs to be documented better. There was a minor bug with
>> them this release cycle and I realized while the current definition
>> makes sense and isn't hard to understand in general. In detail the
>> interaction of capabilities and user namespaces are hard to describe.
>>
>> I think capabilities and user namespaces are the work of a future patch
>> however.
>
> Okay. So, below, a new iteration of the text. Could you please check
> it over, and note any errors to be fixed or improvements to be made.
>
> Thanks,
>
> Michael
>
> CLONE_NEWUSER
> (This flag first became meaningful for clone() in Linux
> 2.6.23, the current clone() semantics were merged in
> Linux 3.5, and the final pieces to make the user names‐
> paces completely usable were merged in Linux 3.8.)
>
> If CLONE_NEWUSER is set, then create the process in a
> new user namespace. If this flag is not set, then (as
> with fork(2)) the process is created in the same user
> namespace as the calling process.
>
> A user namespace provides an isolated environment for
> security related identifiers, in particular, user IDs,
> group IDs, keys (see keyctl(2)), and capabilities.
>
> When a user namespace is created, it starts out without
> a mapping of user IDs (group IDs) to the parent user
> namespace. The desired mapping of user IDs (group IDs)
> to the parent user namespace may be set by writing into
> /proc/[pid]/uid_map (/proc/[pid]/gid_map); see proc(5).
>
> The first process in a user namespace starts out with a
> complete set of capabilities with respect to the new
> user namespace.
>
> System calls that return user IDs (group IDs) will
> return either the user ID (group ID) mapped into the
> current user namespace if there is a mapping, or the
> overflow user ID (group ID); the default value for the
> overflow user ID (group ID) is 65534. See the descrip‐
> tions of /proc/sys/kernel/overflowuid and /proc/sys/ker‐
> nel/overflowgid in proc(5).
>
> Use of this flag requires a kernel configured with the
> CONFIG_USER_NS option. Before Linux 3.8, use of
> CLONE_NEWUSER required that the caller have three capa‐
> bilities: CAP_SYS_ADMIN, CAP_SETUID, and CAP_SETGID.
> Starting with Linux 3.8, no privileges are needed to
> create a user namespace, and mount, PID, IPC, net, and
> UTS namespaces can be created with just the
> CAP_SYS_ADMIN capability in the caller's user namespace.
>
> Over the years, there have been a lot of features that
> have been added to the Linux kernel that are only avail‐
> able to privileged users because of their potential to
> confuse set-user-ID-root applications. In general, it
> becomes safe to allow the root user in a user namespace
> to use those features because it is impossible, while in
> a user namespace, to gain more privilege than the root
> user of a user namespace has.
I don't see anything wrong with that text.
Happy New Year.
Eric
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
next prev parent reply other threads:[~2013-01-01 9:45 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <87a9u4rmz0.fsf@xmission.com>
[not found] ` <87a9u4rmz0.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-27 0:46 ` [PATCH 1/4] proc.5: Document /proc/[pid]/uid_map and /proc/[pid]/gid_map Eric W. Biederman
[not found] ` <874nkbrhyv.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 9:03 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkixXmtvQUbwyv=a8mU=gdf-x+w-ou_4N=cNaau+hVoy4Q@mail.gmail.com>
[not found] ` <CAKgNAkixXmtvQUbwyv=a8mU=gdf-x+w-ou_4N=cNaau+hVoy4Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-27 16:58 ` Eric W. Biederman
2012-12-27 17:23 ` Eric W. Biederman
[not found] ` <87licjv276.fsf@xmission.com>
[not found] ` <87licjv276.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 18:39 ` Michael Kerrisk (man-pages)
[not found] ` <87obhfxwhb.fsf@xmission.com>
[not found] ` <87obhfxwhb.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-28 19:20 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkjs9T-s8SG-EgTT0O-Uj8S98Q_zfnMqnZ1ROrcYqh7Z5w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-28 21:20 ` Eric W. Biederman
[not found] ` <87vcbldgbj.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01 9:37 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkjf=KS5FnP0L-TPTCjQuTDAMs-N4cadAP89L4Mb3KubzQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01 10:12 ` Eric W. Biederman
[not found] ` <87r4m51abp.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-14 8:59 ` Michael Kerrisk (man-pages)
2012-11-27 0:46 ` [PATCH 2/4] clone.2: Describe the user namespace Eric W. Biederman
2012-11-27 0:47 ` [PATCH 3/4] proc.5: Document the proc files for the user, mount, and pid namespaces Eric W. Biederman
[not found] ` <87pq2zq3b6.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 10:28 ` Michael Kerrisk (man-pages)
2012-11-27 0:48 ` [PATCH 4/4] setns.2: Document the pid, user, and mount namespace support Eric W. Biederman
[not found] ` <87y5hnq3d5.fsf@xmission.com>
[not found] ` <87y5hnq3d5.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 10:16 ` [PATCH 2/4] clone.2: Describe the user namespace Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgXWp49wXKom9hMm9fajKVOAwOmFzPdKWBesbBhfZEssA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-27 17:20 ` Eric W. Biederman
[not found] ` <87r4mbv2c9.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01 9:30 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgPET9jex1DO=1Z3HRQqO_WVD8qmG-UaH1DQB6wDGqO5A@mail.gmail.com>
[not found] ` <CAKgNAkgPET9jex1DO=1Z3HRQqO_WVD8qmG-UaH1DQB6wDGqO5A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01 9:45 ` Eric W. Biederman [this message]
2012-12-27 17:47 ` Eric W. Biederman
[not found] ` <87sj6rs7zc.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01 9:29 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgRQXn0-x6CXxvW94eeG19dOAOEx78iNC0+w08uX+Sg1w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01 9:39 ` Eric W. Biederman
[not found] ` <87a9st5jj4.fsf@xmission.com>
[not found] ` <87a9st5jj4.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-07 8:33 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkggMKib5v4ND9UR1jH=CrK-viM5hhfmc0Rw=mP5GbenSg@mail.gmail.com>
[not found] ` <CAKgNAkggMKib5v4ND9UR1jH=CrK-viM5hhfmc0Rw=mP5GbenSg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-07 8:59 ` Eric W. Biederman
[not found] ` <87k3t7q39u.fsf@xmission.com>
[not found] ` <87k3t7q39u.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 11:08 ` [PATCH 4/4] setns.2: Document the pid, user, and mount namespace support Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkiaw5L_oNE8NENjmoBS8Hq_uj+iaEdhyXc1+hje4HdnNQ@mail.gmail.com>
[not found] ` <CAKgNAkiaw5L_oNE8NENjmoBS8Hq_uj+iaEdhyXc1+hje4HdnNQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-27 17:40 ` Eric W. Biederman
[not found] ` <87bodftmv0.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01 9:30 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkjJR02rKOBh98n7HJwXqAwywHY=Ef35t9tW7wOuyo86NQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01 9:58 ` Eric W. Biederman
[not found] ` <87mwwt2pj8.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-07 9:51 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkggEOV0dXVzr4Zf3n_-it5SXfvjJ1ooYxiVNWaYzQgRLg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-07 23:58 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zk0t44ov.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox