unshare: describe the setgroups restriction more explicitly

Signed-off-by: Benno Schulenberg <bensberg@justemail.net>

1 files changed, 15 insertions, 10 deletions

diff --git a/sys-utils/unshare.1 b/sys-utils/unshare.1
index ba47c6733..cd873cb46 100644
--- a/sys-utils/unshare.1
+++ b/sys-utils/unshare.1
@@ -114,16 +114,21 @@ namespace (\fB\-\-mount\fP) is not requested.
 .BR "\-\-setgroups allow" | deny
 Allow or deny the
 .BR setgroups (2)
-syscall in user namespaces.
-
-.BR setgroups (2)
-is only callable with CAP_SETGID and CAP_SETGID in a user
-namespace.  Linux kernel (since 3.19) does not give you permission to call setgroups(2)
-until after GID map has been set.  The GID map is writable by root when
-.BR setgroups (2)
-is enabled and the GID map becomes writable by unprivileged processes when
-.BR setgroups (2)
-is permanently disabled.
+syscall in a user namespace.
+.sp
+To be able to call
+.BR setgroups (2),
+the calling process must at least have CAP_SETGID.
+But since Linux 3.19 a further restriction applies:
+the kernel gives permission to call
+.BR \%setgroups (2)
+only after the GID map (\fB/proc/\fIpid\fB/gid_map\fR) has been set.
+The GID map is writable by root when
+.BR \%setgroups (2)
+is enabled (i.e. \fBallow\fR, the default), and
+the GID map becomes writable by unprivileged processes when
+.BR \%setgroups (2)
+is permanently disabled (with \fBdeny\fR).
 .TP
 .BR \-V , " \-\-version"
 Display version information and exit.