user_namespaces.7: Clarify some capabilities details

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2013-03-08 16:54:50 +01:00 · 2013-03-08 16:54:50 +01:00 · d68c5f1184
parent 0666f549da
commit d68c5f1184
1 changed files with 9 additions and 4 deletions
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@ -108,7 +108,13 @@ or joins an existing user namespace using
 gains a full set of capabilities in that namespace,
 and its securebits flags are cleared.
 On the other hand,
-that process has no capabilities outside that user namespace,
+that process has no capabilities in the parent (in the case of
+.BR clone (2))
+or previous (in the case of
+.BR unshare (2)
+and
+.BR setns (2))
+user namespace,
 even if the new namespace is created or joined by the root user
 (i.e., a process with user ID 0 in the root namespace).
 (Nevertheless, a process owned by the root user
@ -133,9 +139,8 @@ or caller (for
 .BR unshare (2),
 or
 .BR setns (2)).
-Note that
-because the caller no longer has capabilities in its original user namespace
-after a call to
+Note that because the caller no longer has capabilities
+in its original user namespace after a call to
 .BR setns (2),
 it is not possible for a process to reset its "securebits" flags while
 retaining its user namespace membership by using a pair of