user_namespaces.7: Minor tweak to order of "setgroups" text

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man7/user_namespaces.7

@@ -645,6 +645,13 @@ system call; it displays
 if
 .BR setgroups (2)
 is not permitted in that user namespace.
+Note that regardless of the value in the
+.I /proc/[pid]/setgroups
+file (and regardless of the process's capabilities), calls to
+.BR setgroups (2)
+are also not permitted if
+.IR /proc/[pid]/gid_map
+has not yet been set.
 
 A privileged process (one with the
 .BR CAP_SYS_ADMIN
@@ -661,13 +668,6 @@ Writing the string
 .RI \(dq deny \(dq
 prevents any process in the user namespace from employing
 .BR setgroups (2).
-Note that regardless of the value in the
-.I /proc/[pid]/setgroups
-file (and regardless of the process's capabilities), calls to
-.BR setgroups (2)
-are also not permitted if
-.IR /proc/[pid]/gid_map
-has not yet been set.
 
 The essence of the restrictions described in the preceding
 paragraph is that it is permitted to write to