unshare: Fix --map-root-user to work on new kernels

[thirdparty/util-linux.git] / sys-utils / unshare.1

.\" Process this file with
.\" groff -man -Tascii lscpu.1
.\"
.TH UNSHARE 1 "July 2014" "util-linux" "User Commands"
.SH NAME
unshare \- run program with some namespaces unshared from parent
.SH SYNOPSIS
.B unshare
[options]
.I program
.RI [ arguments ]
.SH DESCRIPTION
Unshares the indicated namespaces from the parent process and then executes
the specified \fIprogram\fR.  The namespaces to be unshared are indicated via
options.  Unshareable namespaces are:
.TP
.BR "mount namespace"
Mounting and unmounting filesystems will not affect the rest of the system
(\fBCLONE_NEWNS\fP flag), except for filesystems which are explicitly marked as
shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP for the
\fBshared\fP flags).
.sp
It's recommended to use \fBmount --make-rprivate\fP or \fBmount --make-rslave\fP
after \fBunshare --mount\fP to make sure that mountpoints in the new namespace
are really unshared from the parental namespace.
.TP
.BR "UTS namespace"
Setting hostname or domainname will not affect the rest of the system.
(\fBCLONE_NEWUTS\fP flag)
.TP
.BR "IPC namespace"
The process will have an independent namespace for System V message queues,
semaphore sets and shared memory segments.  (\fBCLONE_NEWIPC\fP flag)
.TP
.BR "network namespace"
The process will have independent IPv4 and IPv6 stacks, IP routing tables,
firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
sockets, etc.  (\fBCLONE_NEWNET\fP flag)
.TP
.BR "pid namespace"
Children will have a distinct set of PID to process mappings from their parent.
(\fBCLONE_NEWPID\fP flag)
.TP
.BR "user namespace"
The process will have a distinct set of UIDs, GIDs and capabilities.
(\fBCLONE_NEWUSER\fP flag)
.PP
See \fBclone\fR(2) for the exact semantics of the flags.
.SH OPTIONS
.TP
.BR \-i , " \-\-ipc"
Unshare the IPC namespace.
.TP
.BR \-m , " \-\-mount"
Unshare the mount namespace.
.TP
.BR \-n , " \-\-net"
Unshare the network namespace.
.TP
.BR \-p , " \-\-pid"
Unshare the pid namespace.
See also the \fB--fork\fP and \fB--mount-proc\fP options.
.TP
.BR \-u , " \-\-uts"
Unshare the UTS namespace.
.TP
.BR \-U , " \-\-user"
Unshare the user namespace.
.TP
.BR \-f , " \-\-fork"
Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than
running it directly.  This is useful when creating a new pid namespace.
.TP
.BR \-\-mount-proc "[=\fImountpoint\fP]"
Just before running the program, mount the proc filesystem at \fImountpoint\fP
(default is /proc).  This is useful when creating a new pid namespace.  It also
implies creating a new mount namespace since the /proc mount would otherwise
mess up existing programs on the system.  The new proc filesystem is explicitly
mounted as private (by MS_PRIVATE|MS_REC).
.TP
.BR \-r , " \-\-map-root-user"
Run the program only after the current effective user and group IDs have been mapped to
the superuser UID and GID in the newly created user namespace.  This makes it possible to
conveniently gain capabilities needed to manage various aspects of the newly created
namespaces (such as configuring interfaces in the network namespace or mounting filesystems in
the mount namespace) even when run unprivileged.  As a mere convenience feature, it does not support
more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs.
.TP
.BR \-V , " \-\-version"
Display version information and exit.
.TP
.BR \-h , " \-\-help"
Display help text and exit.
.SH SEE ALSO
.BR unshare (2),
.BR clone (2),
.BR mount (8)
.SH BUGS
None known so far.
.SH AUTHOR
Mikhail Gusarov <dottedmag@dottedmag.net>
.SH AVAILABILITY
The unshare command is part of the util-linux package and is available from
ftp://ftp.kernel.org/pub/linux/utils/util-linux/.