diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2013-03-15 07:18:53 +0100 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2014-09-13 20:16:01 -0700 |
| commit | 3b44624fa4751139b6f3eb9aa3196bdcd049fd2c (patch) | |
| tree | 1db0009a26ca3a6ff00d28ffc387ffdb40d76910 /man7/user_namespaces.7 | |
| parent | 8a87c8b32f27f04e78f9b91433329c16384405f7 (diff) | |
| download | man-pages-3b44624fa4751139b6f3eb9aa3196bdcd049fd2c.tar.gz | |
user_namespaces.7: Minor fixes in various places
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man7/user_namespaces.7')
| -rw-r--r-- | man7/user_namespaces.7 | 23 |
1 files changed, 11 insertions, 12 deletions
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index acb909d8d5..29961fa830 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -65,7 +65,7 @@ with the .BR CLONE_NEWUSER flag. -Each process is member of exactly one user namespace. +Each process is a member of exactly one user namespace. A process created via .BR fork (2) or @@ -105,8 +105,7 @@ Likewise, a process that creates a new user namespace using .BR unshare (2) or joins an existing user namespace using .BR setns (2) -gains a full set of capabilities in that namespace, -and its securebits flags are cleared. +gains a full set of capabilities in that namespace. On the other hand, that process has no capabilities in the parent (in the case of .BR clone (2)) @@ -163,8 +162,8 @@ For example, it may execute a set-user-ID program or an executable with associated file capabilities. In addition, a process may gain capabilities via the effect of -.BR clone (2) -.BR unshare (2) +.BR clone (2), +.BR unshare (2), or .BR setns (2), as already described. @@ -276,7 +275,7 @@ user IDs between two user namespaces. The specification in each line takes the form of three numbers delimited by white space. The first two numbers specify the starting user ID in -each user namespace. +each of the two user namespaces. The third number specifies the length of the mapped range. In detail, the fields are interpreted as follows: .IP (1) 4 @@ -318,13 +317,13 @@ System calls that return user IDs (group IDs)\(emfor example, .BR getgid (2), and the credential fields in the structure returned by .BR stat (2)\(emreturn -the user ID (group ID) mapped into the current user namespace. +the user ID (group ID) mapped into the caller's user namespace. When a process accesses a file, its user and group IDs are mapped into the initial user namespace for the purpose of permission checking and assigning IDs when creating a file. When a process retrieves file user and group IDs via -.BR stat (2) +.BR stat (2), the IDs are mapped in the opposite direction, to produce values relative to the process user and group ID mappings. @@ -495,7 +494,7 @@ field in the received with a signal (see .BR sigaction (2)), credentials written to the process accounting file (see -.BR acct (5), +.BR acct (5)), and credentials returned with POSIX message queue notifications (see .BR mq_notify (3)). @@ -528,7 +527,7 @@ but the process's effective user (group) ID is left unchanged. (This mirrors the semantics of executing a set-user-ID or set-group-ID program that resides on a file system that was mounted with the .BR MS_NOSUID -flag (see +flag, as described in .BR mount (2).) .\" .\" ============================================================ @@ -583,9 +582,9 @@ and PID .RI ( \-p ) namespaces, with user ID .RI ( \-M ) -and group ID 1000 +and group ID .RI ( \-G ) -mapped to 0 inside the user namespace: +1000 mapped to 0 inside the user namespace: .in +4n .nf |