* Issue in man page user_namespaces.7
@ 2022-12-04 9:07 Helge Kreutzmann
2022-12-04 20:20 ` Alejandro Colomar
0 siblings, 1 reply; 20+ messages in thread
From: Helge Kreutzmann @ 2022-12-04 9:07 UTC (permalink / raw)
To: alx.manpages; +Cc: mario.blaettermann, linux-man
Without further ado, the following was found:
Issue: Text missing? in order to drop → in order to drop privileges?
"/* Linux 3.19 made a change in the handling of setgroups(2) and the\n"
" \\(aqgid_map\\(aq file to address a security issue. The issue allowed\n"
" *unprivileged* users to employ user namespaces in order to drop\n"
" The upshot of the 3.19 changes is that in order to update the\n"
" \\(aqgid_maps\\(aq file, use of the setgroups() system call in this\n"
" user namespace must first be disabled by writing \"deny\" to one of\n"
" the /proc/PID/setgroups files for this namespace. That is the\n"
" purpose of the following function. */\n"
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: Issue in man page user_namespaces.7
2022-12-04 9:07 Issue in man page user_namespaces.7 Helge Kreutzmann
@ 2022-12-04 20:20 ` Alejandro Colomar
0 siblings, 0 replies; 20+ messages in thread
From: Alejandro Colomar @ 2022-12-04 20:20 UTC (permalink / raw)
To: Helge Kreutzmann; +Cc: mario.blaettermann, linux-man
[-- Attachment #1.1: Type: text/plain, Size: 904 bytes --]
On 12/4/22 10:07, Helge Kreutzmann wrote:
> Without further ado, the following was found:
>
> Issue: Text missing? in order to drop → in order to drop privileges?
From what I read, I think it wanted to say "drop groups".
Fixed. Thanks!
Cheers,
Alex
>
> "/* Linux 3.19 made a change in the handling of setgroups(2) and the\n"
> " \\(aqgid_map\\(aq file to address a security issue. The issue allowed\n"
> " *unprivileged* users to employ user namespaces in order to drop\n"
> " The upshot of the 3.19 changes is that in order to update the\n"
> " \\(aqgid_maps\\(aq file, use of the setgroups() system call in this\n"
> " user namespace must first be disabled by writing \"deny\" to one of\n"
> " the /proc/PID/setgroups files for this namespace. That is the\n"
> " purpose of the following function. */\n"
--
<http://www.alejandro-colomar.es/>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: Issue in man page user_namespaces.7
2023-03-12 5:06 ` Helge Kreutzmann
@ 2023-03-12 10:55 ` Alejandro Colomar
0 siblings, 0 replies; 20+ messages in thread
From: Alejandro Colomar @ 2023-03-12 10:55 UTC (permalink / raw)
To: Helge Kreutzmann; +Cc: mario.blaettermann, linux-man, G. Branden Robinson
[-- Attachment #1.1: Type: text/plain, Size: 1842 bytes --]
Hi Helge,
On 3/12/23 06:06, Helge Kreutzmann wrote:
> Hello Alex,
> On Sun, Mar 12, 2023 at 12:25:12AM +0100, Alejandro Colomar wrote:
>> Hi Helge,
>>
>> On 3/11/23 18:13, Helge Kreutzmann wrote:
>>> Without further ado, the following was found:
>>>
>>> Issue: /proc/I<pid>/setgroups → I</proc/>pidI</setgroups
>>
>> I don't find this. Please report with more context.
>
> Writing "deny" to the /proc/pid/setgroups file before writing to /proc/pid/gid_map will permanently disable setgroups(2) in a user namespace and allow writing to /proc/pid/gid_map without having the CAP_SETGID capability in the
> parent user namespace.
>
> The /proc/pid/setgroups file
> The /proc/pid/setgroups file displays the string "allow" if processes in the user namespace that contains the process pid are permitted to employ the setgroups(2) system call; it displays "deny" if setgroups(2) is not permitted
> in that user namespace. Note that regardless of the value in the /proc/pid/setgroups file (and regardless of the process's capabilities), calls to setgroups(2) are also not permitted if /proc/pid/gid_map has not yet been set.
>
>> Cheers,
>>
>> Alex
>>
>>>
>>> "The /proc/I<pid>/setgroups file"
>
>
> I assume this is as intended, i.e. like in the other bug report
> where you said you fixed it the other way around?
>
> Then I add a WONTFIX, of course.
Ahh, now I understand. Since you didn't use B<> in the report,
I didn't think you referred to the subsection heading.
Now that I think, it should be inverted here too. The file name
should be in italics, and the variable part in roman.
Cheers,
Alex
>
> Greetings
>
> Helge
>
--
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: Issue in man page user_namespaces.7
2023-03-11 23:25 ` Alejandro Colomar
@ 2023-03-12 5:06 ` Helge Kreutzmann
2023-03-12 10:55 ` Alejandro Colomar
0 siblings, 1 reply; 20+ messages in thread
From: Helge Kreutzmann @ 2023-03-12 5:06 UTC (permalink / raw)
To: Alejandro Colomar; +Cc: mario.blaettermann, linux-man
[-- Attachment #1: Type: text/plain, Size: 1658 bytes --]
Hello Alex,
On Sun, Mar 12, 2023 at 12:25:12AM +0100, Alejandro Colomar wrote:
> Hi Helge,
>
> On 3/11/23 18:13, Helge Kreutzmann wrote:
> > Without further ado, the following was found:
> >
> > Issue: /proc/I<pid>/setgroups → I</proc/>pidI</setgroups
>
> I don't find this. Please report with more context.
Writing "deny" to the /proc/pid/setgroups file before writing to /proc/pid/gid_map will permanently disable setgroups(2) in a user namespace and allow writing to /proc/pid/gid_map without having the CAP_SETGID capability in the
parent user namespace.
The /proc/pid/setgroups file
The /proc/pid/setgroups file displays the string "allow" if processes in the user namespace that contains the process pid are permitted to employ the setgroups(2) system call; it displays "deny" if setgroups(2) is not permitted
in that user namespace. Note that regardless of the value in the /proc/pid/setgroups file (and regardless of the process's capabilities), calls to setgroups(2) are also not permitted if /proc/pid/gid_map has not yet been set.
> Cheers,
>
> Alex
>
> >
> > "The /proc/I<pid>/setgroups file"
I assume this is as intended, i.e. like in the other bug report
where you said you fixed it the other way around?
Then I add a WONTFIX, of course.
Greetings
Helge
--
Dr. Helge Kreutzmann debian@helgefjell.de
Dipl.-Phys. http://www.helgefjell.de/debian.php
64bit GNU powered gpg signed mail preferred
Help keep free software "libre": http://www.ffii.de/
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: Issue in man page user_namespaces.7
2023-03-11 17:13 Helge Kreutzmann
@ 2023-03-11 23:25 ` Alejandro Colomar
2023-03-12 5:06 ` Helge Kreutzmann
0 siblings, 1 reply; 20+ messages in thread
From: Alejandro Colomar @ 2023-03-11 23:25 UTC (permalink / raw)
To: Helge Kreutzmann; +Cc: mario.blaettermann, linux-man
[-- Attachment #1.1: Type: text/plain, Size: 398 bytes --]
Hi Helge,
On 3/11/23 18:13, Helge Kreutzmann wrote:
> Without further ado, the following was found:
>
> Issue: /proc/I<pid>/setgroups → I</proc/>pidI</setgroups
I don't find this. Please report with more context.
Cheers,
Alex
>
> "The /proc/I<pid>/setgroups file"
--
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Issue in man page user_namespaces.7
@ 2023-03-11 17:13 Helge Kreutzmann
2023-03-11 23:25 ` Alejandro Colomar
0 siblings, 1 reply; 20+ messages in thread
From: Helge Kreutzmann @ 2023-03-11 17:13 UTC (permalink / raw)
To: alx.manpages; +Cc: mario.blaettermann, linux-man
Without further ado, the following was found:
Issue: /proc/I<pid>/setgroups → I</proc/>pidI</setgroups
"The /proc/I<pid>/setgroups file"
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: Issue in man page user_namespaces.7
2023-01-22 19:31 Helge Kreutzmann
@ 2023-01-22 21:16 ` Alejandro Colomar
0 siblings, 0 replies; 20+ messages in thread
From: Alejandro Colomar @ 2023-01-22 21:16 UTC (permalink / raw)
To: Helge Kreutzmann; +Cc: mario.blaettermann, linux-man
[-- Attachment #1.1: Type: text/plain, Size: 2492 bytes --]
Hi Helge,
On 1/22/23 20:31, Helge Kreutzmann wrote:
> Without further ado, the following was found:
>
> Issue 1: I</proc/ pid /setgroups> → I</proc/>pidI</setgroups>
> Issue 2: I</proc/ pid /gid_map> → I</proc/>pidI</gid_map>
> Issue 3: I</proc/ pid /gid_map> → I</proc/>pidI</gid_map>
>
> "Writing \"I<deny>\" to the I</proc/ pid /setgroups> file before writing to"
> "I</proc/ pid /gid_map> will permanently disable B<setgroups>(2) in a user"
> "namespace and allow writing to I</proc/ pid /gid_map> without having the"
> "B<CAP_SETGID> capability in the parent user namespace."
Fixed.
Thanks,
Alex
commit d752f865c0355435519c41470ad4cf33ae8557ae (HEAD -> master)
Author: Alejandro Colomar <alx@kernel.org>
Date: Sun Jan 22 22:15:17 2023 +0100
user_namespaces.7: ffix
Reported-by: Helge Kreutzmann <debian@helgefjell.de>
Cc: Mario Blaettermann <mario.blaettermann@gmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index 838c09278..73d8a4eb8 100644
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -722,9 +722,9 @@ .SS Interaction with system calls that change process UIDs
or GIDs
Writing
.RI \(dq deny \(dq
to the
-.I /proc/ pid /setgroups
+.IR /proc/ pid /setgroups
file before writing to
-.I /proc/ pid /gid_map
+.IR /proc/ pid /gid_map
.\" Things changed in Linux 3.19
.\" commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
.\" commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
@@ -732,14 +732,14 @@ .SS Interaction with system calls that change process UIDs
or GIDs
will permanently disable
.BR setgroups (2)
in a user namespace and allow writing to
-.I /proc/ pid /gid_map
+.IR /proc/ pid /gid_map
without having the
.B CAP_SETGID
capability in the parent user namespace.
.\"
.\" ============================================================
.\"
-.SS The /proc/ pid /setgroups file
+.SS The /proc/\fIpid\fP/setgroups file
.\"
.\" commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
.\" commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
@@ -839,7 +839,7 @@ .SS The /proc/ pid /setgroups file
this user namespace.
.PP
The
-.I /proc/ pid /setgroups
+.IR /proc/ pid /setgroups
file was added in Linux 3.19,
but was backported to many earlier stable kernel series,
because it addresses a security issue.
--
<http://www.alejandro-colomar.es/>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Issue in man page user_namespaces.7
@ 2023-01-22 19:31 Helge Kreutzmann
0 siblings, 0 replies; 20+ messages in thread
From: Helge Kreutzmann @ 2023-01-22 19:31 UTC (permalink / raw)
To: alx.manpages; +Cc: mario.blaettermann, linux-man
Without further ado, the following was found:
Issue: /proc/ pid /setgroups → I</proc/>pidI</setgroups
"The /proc/ pid /setgroups file"
^ permalink raw reply [flat|nested] 20+ messages in thread
* Issue in man page user_namespaces.7
@ 2023-01-22 19:31 Helge Kreutzmann
2023-01-22 21:16 ` Alejandro Colomar
0 siblings, 1 reply; 20+ messages in thread
From: Helge Kreutzmann @ 2023-01-22 19:31 UTC (permalink / raw)
To: alx.manpages; +Cc: mario.blaettermann, linux-man
Without further ado, the following was found:
Issue 1: I</proc/ pid /setgroups> → I</proc/>pidI</setgroups>
Issue 2: I</proc/ pid /gid_map> → I</proc/>pidI</gid_map>
Issue 3: I</proc/ pid /gid_map> → I</proc/>pidI</gid_map>
"Writing \"I<deny>\" to the I</proc/ pid /setgroups> file before writing to "
"I</proc/ pid /gid_map> will permanently disable B<setgroups>(2) in a user "
"namespace and allow writing to I</proc/ pid /gid_map> without having the "
"B<CAP_SETGID> capability in the parent user namespace."
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: Issue in man page user_namespaces.7
2022-12-04 9:07 Helge Kreutzmann
@ 2022-12-04 20:15 ` Alejandro Colomar
0 siblings, 0 replies; 20+ messages in thread
From: Alejandro Colomar @ 2022-12-04 20:15 UTC (permalink / raw)
To: Helge Kreutzmann; +Cc: mario.blaettermann, linux-man
[-- Attachment #1.1: Type: text/plain, Size: 612 bytes --]
On 12/4/22 10:07, Helge Kreutzmann wrote:
> Without further ado, the following was found:
>
> Issue: I<usage()> → I<usage>()
>
> "The program below is designed to allow experimenting with user namespaces,"
> "as well as other types of namespaces. It creates namespaces as specified by"
> "command-line options and then executes a command inside those namespaces."
> "The comments and I<usage()> function inside the program provide a full"
> "explanation of the program. The following shell session demonstrates its"
> "use."
Fixed. Thanks.
--
<http://www.alejandro-colomar.es/>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: Issue in man page user_namespaces.7
2022-12-04 9:07 Helge Kreutzmann
@ 2022-12-04 20:14 ` Alejandro Colomar
0 siblings, 0 replies; 20+ messages in thread
From: Alejandro Colomar @ 2022-12-04 20:14 UTC (permalink / raw)
To: Helge Kreutzmann; +Cc: mario.blaettermann, linux-man
[-- Attachment #1.1: Type: text/plain, Size: 747 bytes --]
On 12/4/22 10:07, Helge Kreutzmann wrote:
> Without further ado, the following was found:
>
> Issue 1: The same is also of other → The same is true also for other
> Issue 2: Missing full stop at the end
>
> "In order to determine permissions when an unprivileged process accesses a"
> "file, the process credentials (UID, GID) and the file credentials are in"
> "effect mapped back to what they would be in the initial user namespace and"
> "then compared to determine the permissions that the process has on the"
> "file. The same is also of other objects that employ the credentials plus"
> "permissions mask accessibility model, such as System V IPC objects"
Fixed. Thanks.
--
<http://www.alejandro-colomar.es/>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Issue in man page user_namespaces.7
@ 2022-12-04 9:07 Helge Kreutzmann
0 siblings, 0 replies; 20+ messages in thread
From: Helge Kreutzmann @ 2022-12-04 9:07 UTC (permalink / raw)
To: alx.manpages; +Cc: mario.blaettermann, linux-man
Without further ado, the following was found:
Issue: /proc/[pid]/setgroups → I</proc/[PID]/setgroups>
"The /proc/[pid]/setgroups file"
^ permalink raw reply [flat|nested] 20+ messages in thread
* Issue in man page user_namespaces.7
@ 2022-12-04 9:07 Helge Kreutzmann
2022-12-04 20:15 ` Alejandro Colomar
0 siblings, 1 reply; 20+ messages in thread
From: Helge Kreutzmann @ 2022-12-04 9:07 UTC (permalink / raw)
To: alx.manpages; +Cc: mario.blaettermann, linux-man
Without further ado, the following was found:
Issue: I<usage()> → I<usage>()
"The program below is designed to allow experimenting with user namespaces, "
"as well as other types of namespaces. It creates namespaces as specified by "
"command-line options and then executes a command inside those namespaces. "
"The comments and I<usage()> function inside the program provide a full "
"explanation of the program. The following shell session demonstrates its "
"use."
^ permalink raw reply [flat|nested] 20+ messages in thread
* Issue in man page user_namespaces.7
@ 2022-12-04 9:07 Helge Kreutzmann
2022-12-04 20:14 ` Alejandro Colomar
0 siblings, 1 reply; 20+ messages in thread
From: Helge Kreutzmann @ 2022-12-04 9:07 UTC (permalink / raw)
To: alx.manpages; +Cc: mario.blaettermann, linux-man
Without further ado, the following was found:
Issue 1: The same is also of other → The same is true also for other
Issue 2: Missing full stop at the end
"In order to determine permissions when an unprivileged process accesses a "
"file, the process credentials (UID, GID) and the file credentials are in "
"effect mapped back to what they would be in the initial user namespace and "
"then compared to determine the permissions that the process has on the "
"file. The same is also of other objects that employ the credentials plus "
"permissions mask accessibility model, such as System V IPC objects"
^ permalink raw reply [flat|nested] 20+ messages in thread
* Issue in man page user_namespaces.7
@ 2022-12-04 9:07 Helge Kreutzmann
0 siblings, 0 replies; 20+ messages in thread
From: Helge Kreutzmann @ 2022-12-04 9:07 UTC (permalink / raw)
To: alx.manpages; +Cc: mario.blaettermann, linux-man
Without further ado, the following was found:
Issue 1: I</proc/ pid /setgroups> → I</proc/>pidI</setgroups>
Issue 2: I</proc/ pid /gid_map> → I</proc/>pidI</gid_map>
Issue 3: I</proc/ pid /gid_map> → I</proc/>pidI</gid_map>
"Writing \"I<deny>\" to the I</proc/ pid /setgroups> file before writing to "
"I</proc/ pid /gid_map> will permanently disable B<setgroups>(2) in a user "
"namespace and allow writing to I</proc/ pid /gid_map> without having the "
"B<CAP_SETGID> capability in the parent user namespace."
^ permalink raw reply [flat|nested] 20+ messages in thread
* Issue in man page user_namespaces.7
@ 2022-12-04 9:07 Helge Kreutzmann
0 siblings, 0 replies; 20+ messages in thread
From: Helge Kreutzmann @ 2022-12-04 9:07 UTC (permalink / raw)
To: alx.manpages; +Cc: mario.blaettermann, linux-man
Without further ado, the following was found:
Issue: /proc/ pid /setgroups → I</proc/>pidI</setgroups
"The /proc/ pid /setgroups file"
^ permalink raw reply [flat|nested] 20+ messages in thread
* Issue in man page user_namespaces.7
@ 2022-03-13 12:34 Helge Kreutzmann
0 siblings, 0 replies; 20+ messages in thread
From: Helge Kreutzmann @ 2022-03-13 12:34 UTC (permalink / raw)
To: mtk.manpages; +Cc: mario.blaettermann, linux-man
Without further ado, the following was found:
Issue: I<usage()> → I<usage>()
"The program below is designed to allow experimenting with user namespaces, "
"as well as other types of namespaces. It creates namespaces as specified by "
"command-line options and then executes a command inside those namespaces. "
"The comments and I<usage()> function inside the program provide a full "
"explanation of the program. The following shell session demonstrates its "
"use."
^ permalink raw reply [flat|nested] 20+ messages in thread
* Issue in man page user_namespaces.7
@ 2022-03-13 12:34 Helge Kreutzmann
0 siblings, 0 replies; 20+ messages in thread
From: Helge Kreutzmann @ 2022-03-13 12:34 UTC (permalink / raw)
To: mtk.manpages; +Cc: mario.blaettermann, linux-man
Without further ado, the following was found:
Issue: Text missing? in order to drop → in order to drop privileges?
"/* Linux 3.19 made a change in the handling of setgroups(2) and the\n"
" \\(aqgid_map\\(aq file to address a security issue. The issue allowed\n"
" *unprivileged* users to employ user namespaces in order to drop\n"
" The upshot of the 3.19 changes is that in order to update the\n"
" \\(aqgid_maps\\(aq file, use of the setgroups() system call in this\n"
" user namespace must first be disabled by writing \"deny\" to one of\n"
" the /proc/PID/setgroups files for this namespace. That is the\n"
" purpose of the following function. */\n"
^ permalink raw reply [flat|nested] 20+ messages in thread
* Issue in man page user_namespaces.7
@ 2022-03-13 12:34 Helge Kreutzmann
0 siblings, 0 replies; 20+ messages in thread
From: Helge Kreutzmann @ 2022-03-13 12:34 UTC (permalink / raw)
To: mtk.manpages; +Cc: mario.blaettermann, linux-man
Without further ado, the following was found:
Issue: /proc/[pid]/setgroups → I</proc/[PID]/setgroups>
"The /proc/[pid]/setgroups file"
^ permalink raw reply [flat|nested] 20+ messages in thread
* Issue in man page user_namespaces.7
@ 2022-03-13 12:34 Helge Kreutzmann
0 siblings, 0 replies; 20+ messages in thread
From: Helge Kreutzmann @ 2022-03-13 12:34 UTC (permalink / raw)
To: mtk.manpages; +Cc: mario.blaettermann, linux-man
Without further ado, the following was found:
Issue 1: The same is also of other → The same is true also for other
Issue 2: Missing full stop at the end
"In order to determine permissions when an unprivileged process accesses a "
"file, the process credentials (UID, GID) and the file credentials are in "
"effect mapped back to what they would be in the initial user namespace and "
"then compared to determine the permissions that the process has on the "
"file. The same is also of other objects that employ the credentials plus "
"permissions mask accessibility model, such as System V IPC objects"
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2023-03-12 10:55 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-04 9:07 Issue in man page user_namespaces.7 Helge Kreutzmann
2022-12-04 20:20 ` Alejandro Colomar
-- strict thread matches above, loose matches on Subject: below --
2023-03-11 17:13 Helge Kreutzmann
2023-03-11 23:25 ` Alejandro Colomar
2023-03-12 5:06 ` Helge Kreutzmann
2023-03-12 10:55 ` Alejandro Colomar
2023-01-22 19:31 Helge Kreutzmann
2023-01-22 19:31 Helge Kreutzmann
2023-01-22 21:16 ` Alejandro Colomar
2022-12-04 9:07 Helge Kreutzmann
2022-12-04 9:07 Helge Kreutzmann
2022-12-04 20:15 ` Alejandro Colomar
2022-12-04 9:07 Helge Kreutzmann
2022-12-04 20:14 ` Alejandro Colomar
2022-12-04 9:07 Helge Kreutzmann
2022-12-04 9:07 Helge Kreutzmann
2022-03-13 12:34 Helge Kreutzmann
2022-03-13 12:34 Helge Kreutzmann
2022-03-13 12:34 Helge Kreutzmann
2022-03-13 12:34 Helge Kreutzmann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.