mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Clarify some capabilities details
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
0666f549da
commit
d68c5f1184
|
@ -108,7 +108,13 @@ or joins an existing user namespace using
|
|||
gains a full set of capabilities in that namespace,
|
||||
and its securebits flags are cleared.
|
||||
On the other hand,
|
||||
that process has no capabilities outside that user namespace,
|
||||
that process has no capabilities in the parent (in the case of
|
||||
.BR clone (2))
|
||||
or previous (in the case of
|
||||
.BR unshare (2)
|
||||
and
|
||||
.BR setns (2))
|
||||
user namespace,
|
||||
even if the new namespace is created or joined by the root user
|
||||
(i.e., a process with user ID 0 in the root namespace).
|
||||
(Nevertheless, a process owned by the root user
|
||||
|
@ -133,9 +139,8 @@ or caller (for
|
|||
.BR unshare (2),
|
||||
or
|
||||
.BR setns (2)).
|
||||
Note that
|
||||
because the caller no longer has capabilities in its original user namespace
|
||||
after a call to
|
||||
Note that because the caller no longer has capabilities
|
||||
in its original user namespace after a call to
|
||||
.BR setns (2),
|
||||
it is not possible for a process to reset its "securebits" flags while
|
||||
retaining its user namespace membership by using a pair of
|
||||
|
|
Loading…
Reference in New Issue