mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Minor tweak to order of "setgroups" text
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
6ffef7012e
commit
e2b6e58cd8
|
@ -645,6 +645,13 @@ system call; it displays
|
|||
if
|
||||
.BR setgroups (2)
|
||||
is not permitted in that user namespace.
|
||||
Note that regardless of the value in the
|
||||
.I /proc/[pid]/setgroups
|
||||
file (and regardless of the process's capabilities), calls to
|
||||
.BR setgroups (2)
|
||||
are also not permitted if
|
||||
.IR /proc/[pid]/gid_map
|
||||
has not yet been set.
|
||||
|
||||
A privileged process (one with the
|
||||
.BR CAP_SYS_ADMIN
|
||||
|
@ -661,13 +668,6 @@ Writing the string
|
|||
.RI \(dq deny \(dq
|
||||
prevents any process in the user namespace from employing
|
||||
.BR setgroups (2).
|
||||
Note that regardless of the value in the
|
||||
.I /proc/[pid]/setgroups
|
||||
file (and regardless of the process's capabilities), calls to
|
||||
.BR setgroups (2)
|
||||
are also not permitted if
|
||||
.IR /proc/[pid]/gid_map
|
||||
has not yet been set.
|
||||
|
||||
The essence of the restrictions described in the preceding
|
||||
paragraph is that it is permitted to write to
|
||||
|
|
Loading…
Reference in New Issue