lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 13 Sep 2014 19:42:24 -0700
From:	"Michael Kerrisk (man-pages)" <mtk.manpages@...il.com>
To:	Andy Lutomirski <luto@...capital.net>
CC:	mtk.manpages@...il.com,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	lkml <linux-kernel@...r.kernel.org>,
	"linux-man@...r.kernel.org" <linux-man@...r.kernel.org>,
	Linux Containers <containers@...ts.linux-foundation.org>,
	richard -rw- weinberger <richard.weinberger@...il.com>,
	"Serge E. Hallyn" <serge@...lyn.com>
Subject: Re: For review: user_namespace(7) man page

On 09/11/2014 08:14 AM, Andy Lutomirski wrote:
> On Thu, Sep 11, 2014 at 7:46 AM, Michael Kerrisk (man-pages)
> <mtk.manpages@...il.com> wrote:
>> Hi Eric,
>>
>> On 09/09/2014 09:05 AM, Eric W. Biederman wrote:
>>> "Michael Kerrisk (man-pages)" <mtk.manpages@...il.com> writes:
>>>
>>>> Hi Andy, and Eric,
>>>>>>        1. The  writing  process  must  have  the CAP_SETUID (CAP_SETGID)
>>>>>>           capability in the user namespace of the process pid.
>>>>>
>>>>> This checked for the opening process (and I don't actually remember
>>>>> whether it's checked for the writing process).
>>>>
>>>> Eric, can you comment?
>>>
>>> We have to check for the opening processes and that changes was made
>>> after I implemented my interface. Pieces of the code appear to also
>>> examine the writing process and verify everything applies to it as well.
>>>
>>> I goofed when I designed the interface originall and had not realized
>>> what a classic design error it can be to not restrict by the opening
>>> process.
>>
>> So, I still need some help here. Should the sentence above just read:
>>
>>         1. The  *opening*  process  must  have  the CAP_SETUID (CAP_SETGID)
>>            capability in the user namespace of the process pid.
> 
> I think this is sufficient.
> 
>>
>> or must something also be said about the writing process? (If so, i'd
>> appreciate a completely formed sentence or two that I can just drop into
>> the man page..)
> 
> There might be a restriction there, too, but I think it could be
> removed, and I also think that it's unlikely that anyone will
> encounter it.

Okay. Thanks, Andy.

Cheers,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ