mirror of https://github.com/mkerrisk/man-pages
namespaces.7: Clarify explanation of nested user namespaces
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
6be09bd882
commit
9a80f81d04
|
@ -501,6 +501,18 @@ in other words,
|
|||
the process has full privileges for operations inside the user namespace,
|
||||
but is unprivileged for operations outside the namespace.
|
||||
|
||||
User namespaces can be nested;
|
||||
that is, each user namespace has a parent user namespace,
|
||||
and can have zero or more child user namespaces.
|
||||
The parent of a user namespace is the user namespace
|
||||
of the process that creates the user namespace via a call to
|
||||
.BR unshare (2)
|
||||
or
|
||||
.BR clone (2)
|
||||
with the
|
||||
.BR CLONE_NEWUSER
|
||||
flag.
|
||||
|
||||
When a user namespace is created,
|
||||
it starts out without a mapping of user IDs (group IDs)
|
||||
to the parent user namespace.
|
||||
|
@ -617,15 +629,6 @@ If the two processes are in the same user namespace:
|
|||
field two is the start of the range of
|
||||
user IDs in the parent user namespace of the process
|
||||
.IR pid .
|
||||
(The "parent user namespace"
|
||||
is the user namespace of the process that created a user namespace
|
||||
via a call to
|
||||
.BR unshare (2)
|
||||
or
|
||||
.BR clone (2)
|
||||
with the
|
||||
.BR CLONE_NEWUSER
|
||||
flag.)
|
||||
This case enables the opener of
|
||||
.I uid_map
|
||||
(the common case here is opening
|
||||
|
@ -732,7 +735,7 @@ in the parent user namespace.
|
|||
.PP
|
||||
Writes that violate the above rules fail with the error
|
||||
.BR EPERM .
|
||||
|
||||
.PP
|
||||
When a process inside a user namespace executes
|
||||
a set-user-ID (set-group-ID) program,
|
||||
the process's effective user (group) ID inside the namespace is changed
|
||||
|
|
Loading…
Reference in New Issue