namespaces.7: Clarify a detail in permissions for writing to user namespace map files

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
author: Michael Kerrisk <mtk.manpages@gmail.com> 2013-02-19 04:22:16 +0100
committer: Michael Kerrisk <mtk.manpages@gmail.com> 2014-09-13 20:15:58 -0700
commit: 8e5924c0a926ab66a95bd028e5a4723c49aa8e19 (patch)
tree: b85eee05db92752bd77f53c9debd4a312c0bf74d /man7/namespaces.7
parent: cfc50babe7501eedd858f245f724e057b9a9ce06 (diff)
download: man-pages-8e5924c0a926ab66a95bd028e5a4723c49aa8e19.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/man7/namespaces.7 b/man7/namespaces.7
index 31d7b1fd1d..fbf41f4926 100644
--- a/man7/namespaces.7
+++ b/man7/namespaces.7
@@ -660,6 +660,8 @@ The process must have the
 .BR CAP_SETUID
 .RB ( CAP_SETGID )
 capability in the parent user namespace.
+This prevents an unprivileged process from mapping to arbitrary UIDs (GIDs)
+in the parent user namespace.
 There is an exception to this requirement:
 a process writing to
 .I uid_map
author	Michael Kerrisk <mtk.manpages@gmail.com>	2013-02-19 04:22:16 +0100
committer	Michael Kerrisk <mtk.manpages@gmail.com>	2014-09-13 20:15:58 -0700
commit	8e5924c0a926ab66a95bd028e5a4723c49aa8e19 (patch)
tree	b85eee05db92752bd77f53c9debd4a312c0bf74d /man7/namespaces.7
parent	cfc50babe7501eedd858f245f724e057b9a9ce06 (diff)
download	man-pages-8e5924c0a926ab66a95bd028e5a4723c49aa8e19.tar.gz