From d45d012859765edd273040fe6dd9c559ec6b972f Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Thu, 28 Feb 2013 00:20:28 +0100 Subject: [PATCH] user_namespaces.7: srcfix Signed-off-by: Michael Kerrisk --- man7/user_namespaces.7 | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index b9daad17f..db4fb5bfa 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -53,18 +53,18 @@ of the process that creates the user namespace via a call to .BR unshare (2) or .BR clone (2) -with the +with the .BR CLONE_NEWUSER flag. The first process in a user namespace starts out with a complete set -of capabilities with respect to the new user namespace. +of capabilities with respect to the new user namespace. On the other hand, that process has no capabilities in the outside that user namespace. Even if the new namespace is created by the root user, the initial process will have no capabilities outside the new user namespace. -(However, that process will be able to access resources such as +(However, that process will be able to access resources such as files that are owned by user ID 0, and will be able to do things such as sending signals to processes belonging to user ID 0.) @@ -73,7 +73,7 @@ When a user namespace is created, it starts out without a mapping of user IDs (group IDs) to the parent user namespace. The desired mapping of user IDs (group IDs) to the parent user namespace -may be set by writing into +may be set by writing into .IR /proc/[pid]/uid_map .RI ( /proc/[pid]/gid_map ); see below. @@ -145,7 +145,7 @@ namespaces created by the call. Thus, it is possible for an unprivileged caller to specify this combination of flags. -When a new IPC, mount, network, PID, or UTS namespace is created via +When a new IPC, mount, network, PID, or UTS namespace is created via .BR clone (2) or .BR unshare (2), @@ -177,14 +177,14 @@ user ID of the creating process as being the "owner" of the namespace (and likewise associates the effective group ID of the creating process with the namespace). .IP -A process whose effective user ID matches that of the +A process whose effective user ID matches that of the owner of a user namespace and which is a member of the parent namespace has all capabilities in the user namespace. By virtue of the first rule, this means that the process has all capabilities in all further removed descendant user namespaces as well. .\" As a rough approximation, this means that -.\" the user who creates a user namespace +.\" the user who creates a user namespace .\" has all capabilities inside that namespace and its descendants. .\" .\" ============================================================ @@ -229,7 +229,7 @@ user IDs between two user namespaces. (When a user namespace is first created, this file is empty.) The specification in each line takes the form of three numbers delimited by white space. -The first two numbers specify the starting user ID in +The first two numbers specify the starting user ID in each user namespace. The third number specifies the length of the mapped range. In detail, the fields are interpreted as follows: @@ -275,7 +275,7 @@ After the creation of a new user namespace, the .I uid_map file of .I one -of the process in the namespace may be written to +of the process in the namespace may be written to .I once to define the mapping of user IDs in the new user namespace. (An attempt to write more than once to a @@ -307,7 +307,7 @@ can't be used to write to nonzero offsets in the file). .IP * The range of user IDs specified in each line cannot overlap with the ranges in any other lines. -In the current implementation (Linux 3.8), this requirement is +In the current implementation (Linux 3.8), this requirement is satisfied by a simplistic implementation that imposes the further requirement that the values in both field 1 and field 2 of successive lines must be @@ -374,7 +374,7 @@ but the process's effective user (group) ID is left unchanged. (This mirrors the semantics of executing a set-user-ID or set-group-ID program that resides on a file system that was mounted with the .BR MS_NOSUID -flag (see +flag (see .BR mount (2).) .SH CONFORMING TO Namespaces are a Linux-specific feature.