user_namespaces.7: Clarify that the child of clone() gets all privileges in new userns

Nothing special happens for the children of unshare(2). Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2013-03-04 17:17:19 +01:00 · 2013-03-04 17:17:19 +01:00 · 96ec9d12e6
parent c94eb4a68d
commit 96ec9d12e6
1 changed files with 11 additions and 4 deletions
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@ -45,8 +45,12 @@ in other words,
 the process has full privileges for operations inside the user namespace,
 but is unprivileged for operations outside the namespace.

-The first process in a user namespace starts out with a complete set
-of capabilities with respect to the new user namespace.
+The child process created by
+.BR clone (2)
+with the
+.BR CLONE_NEWUSER
+flag starts out with a complete set
+of capabilities in the new user namespace.
 On the other hand,
 that process has no capabilities outside that user namespace,
 even if the new namespace is created by the root user.
@ -90,8 +94,11 @@ flags in a single
 or
 .BR unshare (2)
 call, the user namespace is guaranteed to be created first,
-giving the caller privileges over the remaining
-namespaces created by the call.
+giving the child
+.RB ( clone (2))
+or caller
+.RB ( unshare (2))
+privileges over the remaining namespaces created by the call.
 Thus, it is possible for an unprivileged caller to specify this combination
 of flags.