diff options
author | Karel Zak | 2015-01-08 11:51:58 +0100 |
---|---|---|
committer | Karel Zak | 2015-01-09 10:35:16 +0100 |
commit | fbceefded6645de693d576cd988a703a6f60d207 (patch) | |
tree | 9ca52ab8d876e470fd64601c7e7eac1e577fe36c /sys-utils/unshare.1 | |
parent | unshare: Fix --map-root-user to work on new kernels (diff) | |
download | kernel-qcow2-util-linux-fbceefded6645de693d576cd988a703a6f60d207.tar.gz kernel-qcow2-util-linux-fbceefded6645de693d576cd988a703a6f60d207.tar.xz kernel-qcow2-util-linux-fbceefded6645de693d576cd988a703a6f60d207.zip |
unshare: add --setgroups=deny|allow
Since Linux 3.19 the file /proc/self/setgroups controls setgroups(2)
syscall usage in user namespaces. This patch provides command line knob
for this feature.
The new --setgroups does not automatically implies --user to avoid
complexity, it's user's responsibility to use it in right context. The
exception is --map-root-user which is mutually exclusive to
--setgroups=allow.
CC: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'sys-utils/unshare.1')
-rw-r--r-- | sys-utils/unshare.1 | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/sys-utils/unshare.1 b/sys-utils/unshare.1 index 1aa9bcb50..c9e159d96 100644 --- a/sys-utils/unshare.1 +++ b/sys-utils/unshare.1 @@ -85,6 +85,21 @@ conveniently gain capabilities needed to manage various aspects of the newly cre namespaces (such as configuring interfaces in the network namespace or mounting filesystems in the mount namespace) even when run unprivileged. As a mere convenience feature, it does not support more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs. +This option implies --setgroups=deny. +.TP +.BR \-s , " \-\-setgroups \fIallow|deny\fP" +Allow or deny +.BR setgroups (2) +syscall in user namespaces. + +.BR setgroups(2) +is only callable with CAP_SETGID and CAP_SETGID in a user +namespace (since Linux 3.19) does not give you permission to call setgroups(2) +until after GID map has been set. The GID map is writable by root when +.BR setgroups(2) +is enabled and GID map becomes writable by unprivileged processes when +.BR setgroups(2) +is permamently disabled. .TP .BR \-V , " \-\-version" Display version information and exit. |