mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Minor fixes in various places
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
8a87c8b32f
commit
3b44624fa4
|
@ -65,7 +65,7 @@ with the
|
|||
.BR CLONE_NEWUSER
|
||||
flag.
|
||||
|
||||
Each process is member of exactly one user namespace.
|
||||
Each process is a member of exactly one user namespace.
|
||||
A process created via
|
||||
.BR fork (2)
|
||||
or
|
||||
|
@ -105,8 +105,7 @@ Likewise, a process that creates a new user namespace using
|
|||
.BR unshare (2)
|
||||
or joins an existing user namespace using
|
||||
.BR setns (2)
|
||||
gains a full set of capabilities in that namespace,
|
||||
and its securebits flags are cleared.
|
||||
gains a full set of capabilities in that namespace.
|
||||
On the other hand,
|
||||
that process has no capabilities in the parent (in the case of
|
||||
.BR clone (2))
|
||||
|
@ -163,8 +162,8 @@ For example, it may execute a set-user-ID program or an
|
|||
executable with associated file capabilities.
|
||||
In addition,
|
||||
a process may gain capabilities via the effect of
|
||||
.BR clone (2)
|
||||
.BR unshare (2)
|
||||
.BR clone (2),
|
||||
.BR unshare (2),
|
||||
or
|
||||
.BR setns (2),
|
||||
as already described.
|
||||
|
@ -276,7 +275,7 @@ user IDs between two user namespaces.
|
|||
The specification in each line takes the form of
|
||||
three numbers delimited by white space.
|
||||
The first two numbers specify the starting user ID in
|
||||
each user namespace.
|
||||
each of the two user namespaces.
|
||||
The third number specifies the length of the mapped range.
|
||||
In detail, the fields are interpreted as follows:
|
||||
.IP (1) 4
|
||||
|
@ -318,13 +317,13 @@ System calls that return user IDs (group IDs)\(emfor example,
|
|||
.BR getgid (2),
|
||||
and the credential fields in the structure returned by
|
||||
.BR stat (2)\(emreturn
|
||||
the user ID (group ID) mapped into the current user namespace.
|
||||
the user ID (group ID) mapped into the caller's user namespace.
|
||||
|
||||
When a process accesses a file, its user and group IDs
|
||||
are mapped into the initial user namespace for the purpose of permission
|
||||
checking and assigning IDs when creating a file.
|
||||
When a process retrieves file user and group IDs via
|
||||
.BR stat (2)
|
||||
.BR stat (2),
|
||||
the IDs are mapped in the opposite direction,
|
||||
to produce values relative to the process user and group ID mappings.
|
||||
|
||||
|
@ -495,7 +494,7 @@ field in the
|
|||
received with a signal (see
|
||||
.BR sigaction (2)),
|
||||
credentials written to the process accounting file (see
|
||||
.BR acct (5),
|
||||
.BR acct (5)),
|
||||
and credentials returned with POSIX message queue notifications (see
|
||||
.BR mq_notify (3)).
|
||||
|
||||
|
@ -528,7 +527,7 @@ but the process's effective user (group) ID is left unchanged.
|
|||
(This mirrors the semantics of executing a set-user-ID or set-group-ID
|
||||
program that resides on a file system that was mounted with the
|
||||
.BR MS_NOSUID
|
||||
flag (see
|
||||
flag, as described in
|
||||
.BR mount (2).)
|
||||
.\"
|
||||
.\" ============================================================
|
||||
|
@ -583,9 +582,9 @@ and PID
|
|||
.RI ( \-p )
|
||||
namespaces, with user ID
|
||||
.RI ( \-M )
|
||||
and group ID 1000
|
||||
and group ID
|
||||
.RI ( \-G )
|
||||
mapped to 0 inside the user namespace:
|
||||
1000 mapped to 0 inside the user namespace:
|
||||
|
||||
.in +4n
|
||||
.nf
|
||||
|
|
Loading…
Reference in New Issue