From 7612b8a7e1304a1a7cf474a6513e2c9ad8a597d1 Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Tue, 26 Feb 2013 12:09:20 +0100 Subject: [PATCH] setns.2: setns() into a user namespace grants all capabilities in that namespace Signed-off-by: Michael Kerrisk --- man2/setns.2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/man2/setns.2 b/man2/setns.2 index c02efa02f..9b20038e0 100644 --- a/man2/setns.2 +++ b/man2/setns.2 @@ -101,10 +101,14 @@ to reenter the caller's current user namespace. This prevents a caller that has dropped capabilities from regaining those capabilities via a call to .BR setns (). + A process reassociating itself with a user namespace must have .B CAP_SYS_ADMIN .\" See kernel/user_namespace.c:userns_install() [3.8 source] privileges in the target user namespace. +Upon successfully joining a user namespace, +a process is granted all capabilities in that namespace, +regardless of its user and group IDs. A process may not be reassociated with a new mount namespace if it is multi-threaded.