diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2013-03-08 16:54:50 +0100 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2014-09-13 20:16:01 -0700 |
| commit | d68c5f1184c99a678dad6d2f9be7116eb2e0e95d (patch) | |
| tree | 5d5ab3e8e807fc4e12bd8c6fa9a164e65ef0ac0f | |
| parent | 0666f549dacdf330fe67a4a642b472781e739d98 (diff) | |
| download | man-pages-d68c5f1184c99a678dad6d2f9be7116eb2e0e95d.tar.gz | |
user_namespaces.7: Clarify some capabilities details
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
| -rw-r--r-- | man7/user_namespaces.7 | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index d0414c0dda..2dee47ee24 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -108,7 +108,13 @@ or joins an existing user namespace using gains a full set of capabilities in that namespace, and its securebits flags are cleared. On the other hand, -that process has no capabilities outside that user namespace, +that process has no capabilities in the parent (in the case of +.BR clone (2)) +or previous (in the case of +.BR unshare (2) +and +.BR setns (2)) +user namespace, even if the new namespace is created or joined by the root user (i.e., a process with user ID 0 in the root namespace). (Nevertheless, a process owned by the root user @@ -133,9 +139,8 @@ or caller (for .BR unshare (2), or .BR setns (2)). -Note that -because the caller no longer has capabilities in its original user namespace -after a call to +Note that because the caller no longer has capabilities +in its original user namespace after a call to .BR setns (2), it is not possible for a process to reset its "securebits" flags while retaining its user namespace membership by using a pair of |