user_namespaces.7: execve(2) will drop capabilities unless the caller's UID maps to 0

Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
author: Michael Kerrisk <mtk.manpages@gmail.com> 2013-03-21 16:47:47 +0100
committer: Michael Kerrisk <mtk.manpages@gmail.com> 2014-09-13 20:16:01 -0700
commit: 77f95488309abea211e00f5db4dad5ad7882f1a7 (patch)
tree: 6cffc70f08e8cf018c69a542c218d81061768467
parent: 550d1c537c398aa83c23991150da70c40ef59b3e (diff)
download: man-pages-77f95488309abea211e00f5db4dad5ad7882f1a7.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index ba75397336..37dd8e8400 100644
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -134,6 +134,17 @@ files that are owned by user ID 0,
 and will be able to do things such as sending signals
 to processes belonging to user ID 0.
 
+Note that a call to
+.BR execve (2)
+will cause a process to lose any capabilities that it has,
+unless it has a user ID of 0 within the namespace.
+Thus, before calling
+.BR execve (2),
+a user ID mapping for ID 0 must be defined,
+and the caller may also need to use
+.BR setuid (2)
+or similar to set its user ID to 0.
+
 A call to 
 .BR clone (2),
 .BR unshare (2),
author	Michael Kerrisk <mtk.manpages@gmail.com>	2013-03-21 16:47:47 +0100
committer	Michael Kerrisk <mtk.manpages@gmail.com>	2014-09-13 20:16:01 -0700
commit	77f95488309abea211e00f5db4dad5ad7882f1a7 (patch)
tree	6cffc70f08e8cf018c69a542c218d81061768467
parent	550d1c537c398aa83c23991150da70c40ef59b3e (diff)
download	man-pages-77f95488309abea211e00f5db4dad5ad7882f1a7.tar.gz