From: Karel Zak <kzak@redhat.com>
Date: Mon, 27 Feb 2017 11:09:35 +0000 (+0100)
Subject: unshare: add note about sysfs and procfs
X-Git-Tag: v2.30-rc1~209
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=86b6d7f4346c6b85c60aaae993ce5b27dfff6bea;p=thirdparty%2Futil-linux.git

unshare: add note about sysfs and procfs

Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1390057
Signed-off-by: Karel Zak <kzak@redhat.com>
---

diff --git a/sys-utils/unshare.1 b/sys-utils/unshare.1
index 7c7d144d17..dd12c74461 100644
--- a/sys-utils/unshare.1
+++ b/sys-utils/unshare.1
@@ -183,6 +183,11 @@ Display version information and exit.
 .TP
 .BR \-h , " \-\-help"
 Display help text and exit.
+.SH NOTES
+The proc and sysfs filesystems mounting as root in a user namespace have to be
+restricted so that a less privileged user can not get more access to sensitive
+files that a more privileged user made unavailable. In short the rule for proc
+and sysfs is as close to a bind mount as possible.
 .SH EXAMPLES
 .TP
 .B # unshare --fork --pid --mount-proc readlink /proc/self