LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

setns.2: setns() into a user namespace grants all capabilities in that namespace 

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2013-02-26 12:09:20 +01:00
parent 3c98ab169f
commit 7612b8a7e1
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
man2/setns.2
View File

@ -101,10 +101,14 @@ to reenter the caller's current user namespace.
This prevents a caller that has dropped capabilities from regaining
those capabilities via a call to
.BR setns ().
A process reassociating itself with a user namespace must have
.B CAP_SYS_ADMIN
.\" See kernel/user_namespace.c:userns_install() [3.8 source]
privileges in the target user namespace.
Upon successfully joining a user namespace,
a process is granted all capabilities in that namespace,
regardless of its user and group IDs.
A process may not be reassociated with a new mount namespace if it is
multi-threaded.