mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Clarify some capabilities details
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk
parent
0666f549da
commit
d68c5f1184
|
|
@ -108,7 +108,13 @@ or joins an existing user namespace using
|
||||||
gains a full set of capabilities in that namespace,
|
gains a full set of capabilities in that namespace,
|
||||||
and its securebits flags are cleared.
|
and its securebits flags are cleared.
|
||||||
On the other hand,
|
On the other hand,
|
||||||
that process has no capabilities outside that user namespace,
|
that process has no capabilities in the parent (in the case of
|
||||||
|
.BR clone (2))
|
||||||
|
or previous (in the case of
|
||||||
|
.BR unshare (2)
|
||||||
|
and
|
||||||
|
.BR setns (2))
|
||||||
|
user namespace,
|
||||||
even if the new namespace is created or joined by the root user
|
even if the new namespace is created or joined by the root user
|
||||||
(i.e., a process with user ID 0 in the root namespace).
|
(i.e., a process with user ID 0 in the root namespace).
|
||||||
(Nevertheless, a process owned by the root user
|
(Nevertheless, a process owned by the root user
|
||||||
|
|
@ -133,9 +139,8 @@ or caller (for
|
||||||
.BR unshare (2),
|
.BR unshare (2),
|
||||||
or
|
or
|
||||||
.BR setns (2)).
|
.BR setns (2)).
|
||||||
Note that
|
Note that because the caller no longer has capabilities
|
||||||
because the caller no longer has capabilities in its original user namespace
|
in its original user namespace after a call to
|
||||||
after a call to
|
|
||||||
.BR setns (2),
|
.BR setns (2),
|
||||||
it is not possible for a process to reset its "securebits" flags while
|
it is not possible for a process to reset its "securebits" flags while
|
||||||
retaining its user namespace membership by using a pair of
|
retaining its user namespace membership by using a pair of
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue