[PATCH 1/4] proc.5: Document /proc/[pid]/uid_map and /proc/[pid]/gid_map

Michael Kerrisk (man-pages) mtk.manpages at gmail.com
Mon Jan 14 08:59:08 UTC 2013 

Hi Eric,

On Tue, Jan 1, 2013 at 11:12 AM, Eric W. Biederman
<ebiederm at xmission.com> wrote:
> "Michael Kerrisk (man-pages)" <mtk.manpages at gmail.com> writes:
>
>> Hi Eric,
>>
>> On Fri, Dec 28, 2012 at 10:20 PM, Eric W. Biederman
>> <ebiederm at xmission.com> wrote:
>>> "Michael Kerrisk (man-pages)" <mtk.manpages at gmail.com> writes:
>>
>> [...]
>>
>>>>> For writing you are correct about the mapping to the parent (but that is
>>>>> not an exception that is a restriction on who can write to the file).
>>>>
>>>> So, by the way, I added this sentence to the page:
>>>>
>>>>               In   order   to   write   to   the   /proc/[pid]/uid_map
>>>>               (/proc/[pid]/gid_map) file,  a  process  must  have  the
>>>>               CAP_SETUID (CAP_SETGID) capability in the user namespace
>>>>               of the process pid.
>>>>
>>>> Is that correct?
>>>
>>> Yes.
>>>
>>>> But, there appear to be more rules than this governing whether a
>>>> process can write to the file (i.e., various other -EPERM cases). What
>>>> are the rules?
>>>
>>> In general you must also have CAP_SETUID (CAP_SETGID) in the parent user
>>> namespace as well.  The one exception to that is if you are mapping
>>> your current uid and gid.
>>
>> Can you clarify what you mean by "mapping your own UID and GID" please
>> (i.e., who is "you" in that sentence).
>
> At the time of clone() or unshare() that creates a new user namespace,
> the kuid and the kgid of the process does not change.
>
> setuid and setgid fail before any mappings are set up.
>
> Therefore the caller is allowed to map any single uid to the uid of the
> caller in the parent user namespace.  Likewise the caller is allowed to
> map any single gid to the gid of the caller in the parent user
> namespace.

So, then is the following text now correct and complete:

       In  order  for  a  process  to write to the /proc/[pid]/uid_map
       (/proc/[pid]/gid_map) file, the following requirements must  be
       met:

       *  The process must have the CAP_SETUID (CAP_SETGID) capability
          in the user namespace of the process pid.

       *  The process must have the CAP_SETUID (CAP_SETGID) capability
          in the parent user namespace.  There is an exception to this
          requirement: a  process  writing  to  uid_map  (gid_map)  is
          allowed  to  map any single UID (GID) to the file system UID
          (GID) of the caller in the parent user namespace.

       *  The process must be in either  the  user  namespace  of  the
          process  pid  or  inside  the  parent  user namespace of the
          process pid.

Cheers,

Michael

-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Author of "The Linux Programming Interface"; http://man7.org/tlpi/

More information about the Containers mailing list