From: Michael Kerrisk <mtk.manpages@gmail.com>
Date: Mon, 1 Jul 2019 09:11:19 +0000 (+0200)
Subject: user_namespaces.7: Describe how kernel treats UIDs/GIDs when a process access to... 
X-Git-Tag: man-pages-5.02~60
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ea8ec5785c245f1e344ebb8e27f2e5c87abfad1c;p=thirdparty%2Fman-pages.git

user_namespaces.7: Describe how kernel treats UIDs/GIDs when a process access to files

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---

diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index 8492f9f2c9..f8dbc8217e 100644
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -867,6 +867,17 @@ that field is displayed as 4294967295 (\-1 as an unsigned integer).
 .\"
 .\" ============================================================
 .\"
+.SS Accessing files
+.PP
+In order to determine permissions when an unprivileged process accesses a file
+(or other resource such as a System V IPC object),
+the process credentials (UID, GID) and the file credentials
+are in effect mapped back to what they would be in
+the initial user namespace and then compared to determine
+the permissions that the process has on the file.
+.\"
+.\" ============================================================
+.\"
 .SS Set-user-ID and set-group-ID programs
 .PP
 When a process inside a user namespace executes