From 43f4bec1907151d328cdf925f61a41b6dc2a1b05 Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Mon, 1 Jul 2019 12:18:44 +0200 Subject: [PATCH] user_namespaces.7: Describe the effect of file-related capabilities inside use namespaces Signed-off-by: Michael Kerrisk --- man7/user_namespaces.7 | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index f8dbc8217e..1d4d68460c 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -878,6 +878,42 @@ the permissions that the process has on the file. .\" .\" ============================================================ .\" +.SS Operation of file-related capabilities +.PP +Certain capabilities allow a process to bypass various +kernel-enforced restrictions when performing operations on +files owned by other users or groups. +These capabilities are: +.BR CAP_CHOWN , +.BR CAP_DAC_OVERRIDE , +.BR CAP_DAC_READ_SEARCH , +.BR CAP_FOWNER , +and +.BR CAP_FSETID . +.PP +Within a user namespace, +these capabilities allow a process to bypass the rules +if the process has the relevant capability over the file, +meaning that: +.IP * 3 +the process has the relevant effective capability in its user namespace; and +.IP * +the file's user ID and group ID both have valid mappings +in the user namespace. +.PP +The +.BR CAP_FOWNER +capability is treated somewhat exceptionally: +most of the checks that it governs can be bypassed so long as +just the file's user ID has a mapping in the user namespace +.\" These are the checks performed by the kernel function +.\" inode_owner_or_capable(). There is one exception to the exception: +.\" overriding the directory sticky permission bit requires that +.\" the file has a valid mapping for both its UID and GID. +(i.e., the file's group ID does not need to have a valid mapping). +.\" +.\" ============================================================ +.\" .SS Set-user-ID and set-group-ID programs .PP When a process inside a user namespace executes -- 2.39.2