namespaces.7: Move text on capabilities in user namespaces

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
author: Michael Kerrisk <mtk.manpages@gmail.com> 2013-02-25 20:42:45 +0100
committer: Michael Kerrisk <mtk.manpages@gmail.com> 2014-09-13 20:15:59 -0700
commit: 5eb7f09d7c93f4b4d536fc12e33dfd9f5f0fe801 (patch)
tree: bda3f0052318d42a46a234ea090500b02db6f15f /man7/namespaces.7
parent: 7f76dc30793b0cbc0e6188d4ec49f93b2f6fdb2d (diff)
download: man-pages-5eb7f09d7c93f4b4d536fc12e33dfd9f5f0fe801.tar.gz
1 files changed, 20 insertions, 20 deletions
diff --git a/man7/namespaces.7 b/man7/namespaces.7
index c79d3de08d..9873cc7627 100644
--- a/man7/namespaces.7
+++ b/man7/namespaces.7
@@ -555,6 +555,26 @@ namespaces created by the call.
 Thus, it is possible for an unprivileged caller to specify this combination
 of flags.
 
+The following rules apply with respect to the capabilities granted
+to a process:
+.\" In the 3.8 sources, see security/commoncap.c::cap_capable():
+.IP 1. 3
+If a process has a capability in a parent user namespace,
+then it has that capability in all child (and further removed descendant)
+namespaces as well.
+.IP 2.
+.\" * The owner of the user namespace in the parent of the
+.\" * user namespace has all caps.
+When a user namespace is created, the kernel records the effective
+user ID of the creating process as being the "owner" of the namespace.
+A process whose effective user ID matches that of the 
+owner of a user namespace and which is a member of the parent namespace
+(or a further removed namespace that is a direct ancestor)
+has all capabilities in the user namespace.
+.\" As a rough approximation, this means that
+.\" the user who creates a user namespace 
+.\" has all capabilities inside that namespace and its descendants.
+.PP
 Use of user namespaces requires a kernel that is configured with the
 .B CONFIG_USER_NS
 option.
@@ -737,26 +757,6 @@ in the parent user namespace.
 .PP
 Writes that violate the above rules fail with the error
 .BR EPERM .
-
-The following rules apply with respect to the capabilities granted
-to a process:
-.\" In the 3.8 sources, see security/commoncap.c::cap_capable():
-.IP 1. 3
-If a process has a capability in a parent user namespace,
-then it has that capability in all child (and further removed descendant)
-namespaces as well.
-.IP 2.
-.\" * The owner of the user namespace in the parent of the
-.\" * user namespace has all caps.
-When a user namespace is created, the kernel records the effective
-user ID of the creating process as being the "owner" of the namespace.
-A process whose effective user ID matches that of the 
-owner of a user namespace and which is a member of the parent namespace
-(or a further removed namespace that is a direct ancestor)
-has all capabilities in the user namespace.
-.\" As a rough approximation, this means that
-.\" the user who creates a user namespace 
-.\" has all capabilities inside that namespace and its descendants.
 .PP
 When a process inside a user namespace executes
 a set-user-ID (set-group-ID) program,
author	Michael Kerrisk <mtk.manpages@gmail.com>	2013-02-25 20:42:45 +0100
committer	Michael Kerrisk <mtk.manpages@gmail.com>	2014-09-13 20:15:59 -0700
commit	5eb7f09d7c93f4b4d536fc12e33dfd9f5f0fe801 (patch)
tree	bda3f0052318d42a46a234ea090500b02db6f15f /man7/namespaces.7
parent	7f76dc30793b0cbc0e6188d4ec49f93b2f6fdb2d (diff)
download	man-pages-5eb7f09d7c93f4b4d536fc12e33dfd9f5f0fe801.tar.gz