mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Clarify that the child of clone() gets all privileges in new userns
Nothing special happens for the children of unshare(2). Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
c94eb4a68d
commit
96ec9d12e6
|
@ -45,8 +45,12 @@ in other words,
|
|||
the process has full privileges for operations inside the user namespace,
|
||||
but is unprivileged for operations outside the namespace.
|
||||
|
||||
The first process in a user namespace starts out with a complete set
|
||||
of capabilities with respect to the new user namespace.
|
||||
The child process created by
|
||||
.BR clone (2)
|
||||
with the
|
||||
.BR CLONE_NEWUSER
|
||||
flag starts out with a complete set
|
||||
of capabilities in the new user namespace.
|
||||
On the other hand,
|
||||
that process has no capabilities outside that user namespace,
|
||||
even if the new namespace is created by the root user.
|
||||
|
@ -90,8 +94,11 @@ flags in a single
|
|||
or
|
||||
.BR unshare (2)
|
||||
call, the user namespace is guaranteed to be created first,
|
||||
giving the caller privileges over the remaining
|
||||
namespaces created by the call.
|
||||
giving the child
|
||||
.RB ( clone (2))
|
||||
or caller
|
||||
.RB ( unshare (2))
|
||||
privileges over the remaining namespaces created by the call.
|
||||
Thus, it is possible for an unprivileged caller to specify this combination
|
||||
of flags.
|
||||
|
||||
|
|
Loading…
Reference in New Issue