Commit 0e390189 authored by Christian Kujau's avatar Christian Kujau Committed by Jonathan Corbet

docs: SafeSetID.rst: Remove spurious '???' characters

It appears that some smart quotes were changed to "???" by even smarter
software; change them to the dumb but legible variety.
Signed-off-by: default avatarChristian Kujau <lists@nerdbynature.de>
Signed-off-by: default avatarJonathan Corbet <corbet@lwn.net>
parent 0a6f33db
...@@ -56,7 +56,7 @@ setid capabilities from the application completely and refactor the process ...@@ -56,7 +56,7 @@ setid capabilities from the application completely and refactor the process
spawning semantics in the application (e.g. by using a privileged helper program spawning semantics in the application (e.g. by using a privileged helper program
to do process spawning and UID/GID transitions). Unfortunately, there are a to do process spawning and UID/GID transitions). Unfortunately, there are a
number of semantics around process spawning that would be affected by this, such number of semantics around process spawning that would be affected by this, such
as fork() calls where the program doesn???t immediately call exec() after the as fork() calls where the program doesn't immediately call exec() after the
fork(), parent processes specifying custom environment variables or command line fork(), parent processes specifying custom environment variables or command line
args for spawned child processes, or inheritance of file handles across a args for spawned child processes, or inheritance of file handles across a
fork()/exec(). Because of this, as solution that uses a privileged helper in fork()/exec(). Because of this, as solution that uses a privileged helper in
...@@ -72,7 +72,7 @@ own user namespace, and only approved UIDs/GIDs could be mapped back to the ...@@ -72,7 +72,7 @@ own user namespace, and only approved UIDs/GIDs could be mapped back to the
initial system user namespace, affectively preventing privilege escalation. initial system user namespace, affectively preventing privilege escalation.
Unfortunately, it is not generally feasible to use user namespaces in isolation, Unfortunately, it is not generally feasible to use user namespaces in isolation,
without pairing them with other namespace types, which is not always an option. without pairing them with other namespace types, which is not always an option.
Linux checks for capabilities based off of the user namespace that ???owns??? some Linux checks for capabilities based off of the user namespace that "owns" some
entity. For example, Linux has the notion that network namespaces are owned by entity. For example, Linux has the notion that network namespaces are owned by
the user namespace in which they were created. A consequence of this is that the user namespace in which they were created. A consequence of this is that
capability checks for access to a given network namespace are done by checking capability checks for access to a given network namespace are done by checking
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment