cmdline: better warning about uid/gid 0

diff --git a/cmdline.c b/cmdline.c
index a11443be43298ad3fa2c6b980c4c8933a7c653fa..a3ac2166bca6548ab97696ad19da2aca5b030c8f 100644 (file)
--- a/cmdline.c
+++ b/cmdline.c
@@ -239,7 +239,8 @@ void cmdlineLogParams(struct nsjconf_t *nsjconf)
                              (unsigned long)p->inside_id, (unsigned long)p->outside_id, p->count,
                              p->is_newidmap ? "true" : "false");
                        if (p->outside_id == 0) {
-                               LOG_W("Process will be UID/EUID=0 in the global user namespace");
+                               LOG_W
+                                   ("Process will be UID/EUID=0 in the global user namespace, and will have user root-level access to files");
                        }
                }
                TAILQ_FOREACH(p, &nsjconf->gids, pointers) {
@@ -247,7 +248,8 @@ void cmdlineLogParams(struct nsjconf_t *nsjconf)
                              (unsigned long)p->inside_id, (unsigned long)p->outside_id, p->count,
                              p->is_newidmap ? "true" : "false");
                        if (p->outside_id == 0) {
-                               LOG_W("Process will be GID/EGID=0 in the global user namespace");
+                               LOG_W
+                                   ("Process will be GID/EGID=0 in the global user namespace, and will have group root-level access to files");
                        }
                }
        }

diff --git a/configs/bash-with-fake-geteuid.cfg b/configs/bash-with-fake-geteuid.cfg
index 74af79504079aa076155ab3e8afc7da7bd660a7c..1da28e97f1041f763cf503e1e71f1cad4e1096b5 100644 (file)
--- a/configs/bash-with-fake-geteuid.cfg
+++ b/configs/bash-with-fake-geteuid.cfg
@@ -171,7 +171,6 @@ mount {
 
 seccomp_string: "
        POLICY example {
-               ERRNO(1337) { geteuid },
                KILL { syslog },
                ERRNO(0) { ptrace }
        }