diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2013-03-04 17:17:19 +0100 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2014-09-13 20:16:01 -0700 |
| commit | 96ec9d12e69eb4f41b16ba8bc939bb603908ca16 (patch) | |
| tree | 8d5fb949e350bc0b76a0d1b60461fee949afadc2 /man7 | |
| parent | c94eb4a68d155bd94b33bd920805c05cdb084e24 (diff) | |
| download | man-pages-96ec9d12e69eb4f41b16ba8bc939bb603908ca16.tar.gz | |
user_namespaces.7: Clarify that the child of clone() gets all privileges in new userns
Nothing special happens for the children of unshare(2).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man7')
| -rw-r--r-- | man7/user_namespaces.7 | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index 0658b7facf..4097b2329b 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -45,8 +45,12 @@ in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace. -The first process in a user namespace starts out with a complete set -of capabilities with respect to the new user namespace. +The child process created by +.BR clone (2) +with the +.BR CLONE_NEWUSER +flag starts out with a complete set +of capabilities in the new user namespace. On the other hand, that process has no capabilities outside that user namespace, even if the new namespace is created by the root user. @@ -90,8 +94,11 @@ flags in a single or .BR unshare (2) call, the user namespace is guaranteed to be created first, -giving the caller privileges over the remaining -namespaces created by the call. +giving the child +.RB ( clone (2)) +or caller +.RB ( unshare (2)) +privileges over the remaining namespaces created by the call. Thus, it is possible for an unprivileged caller to specify this combination of flags. |