user_namespaces.7: Improve discussion of handling of capabilities during execve(2)

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
author: Serge E. Hallyn <serge@hallyn.com> 2014-09-01 18:57:31 +0200
committer: Michael Kerrisk <mtk.manpages@gmail.com> 2014-09-13 20:16:03 -0700
commit: 1191a90d12c9d5bd8a8d80e8ca13101417d5d5ab (patch)
tree: 27c421b775966b4fda14ae2ae12dd61ea229621f /man7/user_namespaces.7
parent: 11d8ef176b9e10fa31e2014fe1211492eb0bda22 (diff)
download: man-pages-1191a90d12c9d5bd8a8d80e8ca13101417d5d5ab.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index c053711532..99102a6c8e 100644
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -130,8 +130,10 @@ even if the new namespace is created or joined by the root user
 
 Note that a call to
 .BR execve (2)
-will cause a process to lose any capabilities that it has,
-unless it has a user ID of 0 within the namespace.
+will cause a process's capabilities to be recalculated (see
+.BR capabilities (7)),
+so that usually, unless it has a user ID of 0 within the namespace,
+it will lose all capabilities.
 See the discussion of user and group ID mappings, below.
 
 A call to
author	Serge E. Hallyn <serge@hallyn.com>	2014-09-01 18:57:31 +0200
committer	Michael Kerrisk <mtk.manpages@gmail.com>	2014-09-13 20:16:03 -0700
commit	1191a90d12c9d5bd8a8d80e8ca13101417d5d5ab (patch)
tree	27c421b775966b4fda14ae2ae12dd61ea229621f /man7/user_namespaces.7
parent	11d8ef176b9e10fa31e2014fe1211492eb0bda22 (diff)
download	man-pages-1191a90d12c9d5bd8a8d80e8ca13101417d5d5ab.tar.gz