LKML Archive on
help / color / mirror / Atom feed
* Documenting the requirement of CAP_SETFCAP to map UID 0
@ 2021-08-08  9:09 Michael Kerrisk (man-pages)
  2021-08-10 23:58 ` Serge E. Hallyn
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Kerrisk (man-pages) @ 2021-08-08  9:09 UTC (permalink / raw)
  To: Serge E. Hallyn
  Cc: mtk.manpages, linux-security-module, lkml, Alejandro Colomar,
	Kir Kolyshkin, linux-man

Hello Serge,

Your commit:

commit db2e718a47984b9d71ed890eb2ea36ecf150de18
Author: Serge E. Hallyn <>
Date:   Tue Apr 20 08:43:34 2021 -0500

    capabilities: require CAP_SETFCAP to map uid 0

added a new requirement when updating a UID map a user namespace
with a value of '0 0 *'.

Kir sent a patch to briefly document this change, but I think much more
should be written. I've attempted to do so. Could you tell me whether the
following text (to be added in user_namespaces(7)) is accurate please:

      In  order  for  a  process  to  write  to  the /proc/[pid]/uid_map
       (/proc/[pid]/gid_map) file, all of the following requirements must
       be met:


       4. If  updating  /proc/[pid]/uid_map to create a mapping that maps
          UID 0 in the parent namespace, then one of the  following  must
          be true:

          *  if  writing process is in the parent user namespace, then it
             must have the CAP_SETFCAP capability in that user namespace;

          *  if  the writing process is in the child user namespace, then
             the process that created the user namespace  must  have  had
             the CAP_SETFCAP capability when the namespace was created.

          This rule has been in place since Linux 5.12.  It eliminates an
          earlier security bug whereby a UID 0  process  that  lacks  the
          CAP_SETFCAP capability, which is needed to create a binary with
          namespaced file capabilities (as described in capabilities(7)),
          could  nevertheless  create  such  a  binary,  by the following

          *  Create a new user namespace with the identity mapping (i.e.,
             UID  0 in the new user namespace maps to UID 0 in the parent
             namespace), so that UID 0 in both namespaces  is  equivalent
             to the same root user ID.

          *  Since  the  child process has the CAP_SETFCAP capability, it
             could create a binary with namespaced file capabilities that
             would  then  be  effective in the parent user namespace (be‐
             cause the root user IDs are the same in the two namespaces).




Michael Kerrisk
Linux man-pages maintainer;
Linux/UNIX System Programming Training:

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-08-11 10:10 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-08  9:09 Documenting the requirement of CAP_SETFCAP to map UID 0 Michael Kerrisk (man-pages)
2021-08-10 23:58 ` Serge E. Hallyn
2021-08-11 10:10   ` Michael Kerrisk (man-pages)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).