diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2013-02-25 15:39:00 +0100 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2014-09-13 20:15:59 -0700 |
| commit | 9a80f81d04d512066e61dba4d20e57263d4ae2f5 (patch) | |
| tree | 28bed99224ea7a9a8b022e4d0309a704318beebe /man7/namespaces.7 | |
| parent | 6be09bd8825e63a9d84e606726222fbc284f2527 (diff) | |
| download | man-pages-9a80f81d04d512066e61dba4d20e57263d4ae2f5.tar.gz | |
namespaces.7: Clarify explanation of nested user namespaces
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man7/namespaces.7')
| -rw-r--r-- | man7/namespaces.7 | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/man7/namespaces.7 b/man7/namespaces.7 index 424657a051..de4fded0f0 100644 --- a/man7/namespaces.7 +++ b/man7/namespaces.7 @@ -501,6 +501,18 @@ in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace. +User namespaces can be nested; +that is, each user namespace has a parent user namespace, +and can have zero or more child user namespaces. +The parent of a user namespace is the user namespace +of the process that creates the user namespace via a call to +.BR unshare (2) +or +.BR clone (2) +with the +.BR CLONE_NEWUSER +flag. + When a user namespace is created, it starts out without a mapping of user IDs (group IDs) to the parent user namespace. @@ -617,15 +629,6 @@ If the two processes are in the same user namespace: field two is the start of the range of user IDs in the parent user namespace of the process .IR pid . -(The "parent user namespace" -is the user namespace of the process that created a user namespace -via a call to -.BR unshare (2) -or -.BR clone (2) -with the -.BR CLONE_NEWUSER -flag.) This case enables the opener of .I uid_map (the common case here is opening @@ -732,7 +735,7 @@ in the parent user namespace. .PP Writes that violate the above rules fail with the error .BR EPERM . - +.PP When a process inside a user namespace executes a set-user-ID (set-group-ID) program, the process's effective user (group) ID inside the namespace is changed |