namespaces.7: Clarify explanation of nested user namespaces

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man7/namespaces.7

@@ -501,6 +501,18 @@ in other words,
 the process has full privileges for operations inside the user namespace,
 but is unprivileged for operations outside the namespace.
 
+User namespaces can be nested;
+that is, each user namespace has a parent user namespace,
+and can have zero or more child user namespaces.
+The parent of a user namespace is the user namespace
+of the process that creates the user namespace via a call to
+.BR unshare (2)
+or
+.BR clone (2)
+with the 
+.BR CLONE_NEWUSER
+flag.
+
 When a user namespace is created,
 it starts out without a mapping of user IDs (group IDs)
 to the parent user namespace.
@@ -617,15 +629,6 @@ If the two processes are in the same user namespace:
 field two is the start of the range of
 user IDs in the parent user namespace of the process
 .IR pid .
-(The "parent user namespace"
-is the user namespace of the process that created a user namespace
-via a call to
-.BR unshare (2)
-or
-.BR clone (2)
-with the 
-.BR CLONE_NEWUSER
-flag.)
 This case enables the opener of
 .I uid_map
 (the common case here is opening
@@ -732,7 +735,7 @@ in the parent user namespace.
 .PP
 Writes that violate the above rules fail with the error
 .BR EPERM .
-
+.PP
 When a process inside a user namespace executes
 a set-user-ID (set-group-ID) program,
 the process's effective user (group) ID inside the namespace is changed