bindresvport.3, rcmd.3, ip.7: Note user namespace requirements for CAP_NET_BIND_SERVICE

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man3/bindresvport.3

@@ -79,9 +79,10 @@ can fail for any of the same reasons as
 In addition, the following errors may occur:
 .TP
 .BR EACCES
-The caller did not have superuser privilege (to be precise: the
+The calling process was not privileged
+(on Linux: the calling process did not have the
 .B CAP_NET_BIND_SERVICE
-capability is required).
+capability in the user namespace governing its network namespace).
 .TP
 .B EADDRINUSE
 All privileged ports are in use.

man3/rcmd.3

@@ -172,7 +172,9 @@ This socket is suitable for use by
 and several other functions.
 Privileged ports are those in the range 0 to 1023.
 Only a privileged process
-.RB ( CAP_NET_BIND_SERVICE )
+(on Linux: a process that has the
+.B CAP_NET_BIND_SERVICE
+capability in the user namespace governing its network namespace).
 is allowed to bind to a privileged port.
 In the glibc implementation,
 this function restricts its search to the ports from 512 to 1023.

man7/ip.7

@@ -160,9 +160,10 @@ The port numbers below 1024 are called
 .IR "privileged ports"
 (or sometimes:
 .IR "reserved ports" ).
-Only a privileged process (i.e., one having the
+Only a privileged process
+(on Linux: a process that has the
 .B CAP_NET_BIND_SERVICE
-capability) may
+capability in the user namespace governing its network namespace) may
 .BR bind (2)
 to these sockets.
 Note that the raw IPv4 protocol as such has no concept of a