From: bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org
To: linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: [Bug 120671] missing info about userns restrictions
Date: Tue, 21 Jun 2016 08:48:18 +0000 [thread overview]
Message-ID: <bug-120671-11311-HIWHdb9Viq@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-120671-11311-3bo0kxnWaOQUvHkbgXJLS5sdmw4N0Rt+2LY78lusg7I@public.gmane.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=120671
Michael Kerrisk <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |CODE_FIX
--- Comment #6 from Michael Kerrisk <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> ---
(In reply to Michał Zegan from comment #5)
> yes, what I mean is just to make soe things more detailed in case someone
> wonders.
Fair enough. See the new text below, which I've added to the man page.
> About filesystes, you can try to test mounting an ext4 filesystem after
> doing unshare of both userns and mountns, almost sure you will fail. I mean
> mounting the fs from inside of the ns. I may test that too when I have time,
> to be sure, but I am almost certain that is the case, especially that
> mounting an arbitrary fs could be a security risk because uids are not
> shifted.
When you've tested to see check that there's an issue, please reopen this bug
if needed. For now, I consider the problem to be addressed, as per the new text
below, so I'll close.
Cheers,
Michael
Having a capability inside a user namespace permits a process
to perform operations (that require privilege) only on
resources governed by that namespace. In other words, having a
capability in a user namespace permits a process to perform
privileged operations on resources that are governed by
(nonuser) namespaces associated with the user namespace (see
the next subsection). On the other hand, there are many privi‐
leged operations that affect resources that are not associated
with any namespace type, for example, changing the system time
(governed by CAP_SYS_TIME), loading a kernel module (governed
by CAP_SYS_MODULE), and creating a device (governed by
CAP_MKNOD). Only a process with privileges in the initial user
namespace can perform such operations.
--
You are receiving this mail because:
You are watching the assignee of the bug.--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-06-21 8:48 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-20 13:22 [Bug 120671] New: missing info about userns restrictions bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
[not found] ` <bug-120671-11311-3bo0kxnWaOQUvHkbgXJLS5sdmw4N0Rt+2LY78lusg7I@public.gmane.org/>
2016-06-20 14:26 ` [Bug 120671] " bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-06-20 14:36 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-06-20 14:39 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-06-20 20:18 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-06-20 20:32 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-06-21 8:48 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r [this message]
2016-06-21 9:12 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-06-21 9:25 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-06-21 11:54 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-06-21 14:15 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-06-21 19:56 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-06-21 20:02 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-07-05 9:23 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-07-05 13:29 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-07-05 14:01 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-07-05 16:02 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-07-07 12:33 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
2016-07-07 12:46 ` bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-120671-11311-HIWHdb9Viq@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon-590eeb7gvniway/ihj7yzeb+6bgklq7r@public.gmane.org \
--cc=linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.