From 6bb49a326656fc7dbb8d2a9021f6f585af473005 Mon Sep 17 00:00:00 2001
From: Michael Kerrisk <mtk.manpages@gmail.com>
Date: Mon, 2 Feb 2015 16:22:12 +0100
Subject: [PATCH] proc.5: Tweak's to Eric Biederman's patch

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---
 man5/proc.5 | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/man5/proc.5 b/man5/proc.5
index ed0f1a42b..552ac804d 100644
--- a/man5/proc.5
+++ b/man5/proc.5
@@ -1216,26 +1216,32 @@ are not available if the main thread has already terminated
 .\"
 This file displays the string
 .RI \(dq allow \(dq
-if the
+if processes in the user namespace that contains the process
+.I pid
+are permitted to employ the
 .BR setgroups (2)
-system call is permitted in the process's user namespace, and
+system call, and
 .RI \(dq deny \(dq
 if
 .BR setgroups (2)
-is not permitted.
+is not permitted in that user namespace.
+
 A privileged process (one with the
 .BR CAP_SYS_ADMIN
-capability in the namespace)
-.\" Should it be "parent namespace" in the line above?
-may write either of the strings
+capability in the namespace) may write either of the strings
 .RI \(dq allow \(dq
 or
 .RI \(dq deny \(dq
 to this file before writing a group ID mapping
 for this user namespace to the file
 .IR /proc/[pid]/gid_map .
-The default value of this file in the initial user namesapce is
-.RI " allow ".
+Writing the string
+.RI \(dq deny \(dq
+prevents any process in the user namespace from employing
+.BR setgroups (2).
+
+The default value of this file in the initial user namespace is
+.RI \(dq allow \(dq.
 
 Once
 .IR /proc/[pid]/gid_map
@@ -1255,7 +1261,7 @@ setting from its parent.
 If the
 .I setgroups
 file has the value
-.IR \(dq deny \(dq,
+.RI \(dq deny \(dq,
 then the
 .BR setgroups (2)
 system call can't subsequently be reenabled (by writing