Namespaces in operation, part 5: User namespaces

Posted Mar 5, 2015 8:32 UTC (Thu) by mkerrisk (subscriber, #1978)
Parent article: Namespaces in operation, part 5: User namespaces

Note that because of the Linux 3.19 changes that fixed a user namespace security loophole related to the setgroups() system call, the userns_child_exec.c program needs modifications in order to be able to use GID maps on Linux 3.19 and later (and also on earlier stable kernel series that backported the changes). A revised (and backward compatible) version of this program with the necessary changes can be found in the revised user_namespaces(7) man page that will appear in a few days time. (Look for the definition and use of the proc_setgroup_write() function in the example program.)