From d45e85a94b206509fa7bc91549e0a699af22c322 Mon Sep 17 00:00:00 2001
From: Michael Kerrisk <mtk.manpages@gmail.com>
Date: Wed, 31 Oct 2018 08:39:02 +0100
Subject: [PATCH] namespaces.7: Briefly explain why CAP_SYS_ADMIN is needed to
 create nonuser namespaces

Reported-by: Tycho Kirchner <tychokirchner@mail.de>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---
 man7/namespaces.7 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/man7/namespaces.7 b/man7/namespaces.7
index 912758f23..a74f73f88 100644
--- a/man7/namespaces.7
+++ b/man7/namespaces.7
@@ -109,7 +109,10 @@ and
 .BR unshare (2)
 in most cases requires the
 .BR CAP_SYS_ADMIN
-capability.
+capability, since, in the new namespace,
+the creator will have the power to change global resources
+that are visible to other processes that are subsequently created in,
+or join the same namespace.
 User namespaces are the exception: since Linux 3.8,
 no privilege is required to create a user namespace.
 .\"