permanently running init process is required).
Once a persistent \%namespace is no longer needed, it can be unpersisted with
.BR umount (8).
-See the \fBEXAMPLES\fR section for more details.
+See the \fBEXAMPLE\fR section for more details.
+.PP
+.B unshare
+since util-linux version 2.36 uses /\fIproc/[pid]/ns/pid_for_children\fP and \fI/proc/[pid]/ns/time_for_children\fP
+files for persistent PID and TIME namespaces. This change requires Linux kernel 4.17 or newer.
.PP
The namespaces to be unshared are indicated via options. Unshareable namespaces are:
.TP
.B UTS namespace
Setting hostname or domainname will not affect the rest of the system.
For further details, see
-.BR namespaces (7)
+.BR uts_namespaces (7)
and the discussion of the
.B CLONE_NEWUTS
flag in
as well as System V \%message queues,
semaphore sets and shared memory segments.
For further details, see
-.BR namespaces (7)
+.BR ipc_namespaces (7)
and the discussion of the
.B CLONE_NEWIPC
flag in
firewall rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees,
sockets, etc.
For further details, see
-.BR namespaces (7)
+.BR network_namespaces (7)
and the discussion of the
.B CLONE_NEWNET
flag in
and/or
.B CLOCK_BOOTTIME
which can be changed using \fI/proc/self/timens_offsets\fP.
+For further details, see
+.BR time_namespaces (7).
.SH OPTIONS
.TP
.BR \-i , " \-\-ipc" [ =\fIfile ]
mess up existing programs on the system. The new proc filesystem is explicitly
mounted as private (with MS_PRIVATE|MS_REC).
.TP
+.BI \-\-map\-user= uid|name
+Run the program only after the current effective user ID has been mapped to \fIuid\fP.
+If this option is specified multiple times, the last occurrence takes precedence.
+This option implies \fB\-\-user\fR.
+.TP
+.BI \-\-map\-group= gid|name
+Run the program only after the current effective group ID has been mapped to \fIgid\fP.
+If this option is specified multiple times, the last occurrence takes precedence.
+This option implies \fB\-\-setgroups=deny\fR and \fB\-\-user\fR.
+.TP
.BR \-r , " \-\-map\-root\-user"
Run the program only after the current effective user and group IDs have been mapped to
the superuser UID and GID in the newly created user namespace. This makes it possible to
the mount namespace) even when run unprivileged. As a mere convenience feature, it does not support
more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs.
This option implies \fB\-\-setgroups=deny\fR and \fB\-\-user\fR.
+This option is equivalent to \fB\-\-map-user=0 \-\-map-group=0\fR.
.TP
.BR \-c , " \-\-map\-current\-user"
Run the program only after the current effective user and group IDs have been mapped to
the same UID and GID in the newly created user namespace. This option implies
\fB\-\-setgroups=deny\fR and \fB\-\-user\fR.
+This option is equivalent to \fB\-\-map-user=$(id -ru) \-\-map-group=$(id -rg)\fR.
.TP
.BR "\-\-propagation private" | shared | slave | unchanged
Recursively set the mount propagation flag in the new mount namespace. The default
Set the group ID which will be used in the entered namespace and drop
supplementary groups.
.TP
-.BR "\-\-monotonic \fIoffset"
+.BI \-\-monotonic " offset"
Set the offset of
.B CLOCK_MONOTONIC
which will be used in the entered time namespace. This option requires
unsharing a time namespace with \fB\-\-time\fP.
.TP
-.BR "\-\-boottime \fIoffset"
+.BI \-\-boottime " offset"
Set the offset of
.B CLOCK_BOOTTIME
which will be used in the entered time namespace. This option requires
restricted so that a less privileged user can not get more access to sensitive
files that a more privileged user made unavailable. In short the rule for proc
and sysfs is as close to a bind mount as possible.
-.SH EXAMPLES
+.SH EXAMPLE
.TP
.B # unshare \-\-fork \-\-pid \-\-mount-proc readlink /proc/self
.TQ
.TQ
10:58:48 up 1158 days, 6:05, 1 user, load average: 0.00, 0.00, 0.00
-.SH SEE ALSO
-.BR clone (2),
-.BR unshare (2),
-.BR namespaces (7),
-.BR mount (8)
.SH AUTHORS
.UR dottedmag@dottedmag.net
Mikhail Gusarov
.UR kzak@redhat.com
Karel Zak
.UE
+.SH SEE ALSO
+.BR clone (2),
+.BR unshare (2),
+.BR namespaces (7),
+.BR mount (8)
.SH AVAILABILITY
The unshare command is part of the util-linux package and is available from
https://www.kernel.org/pub/linux/utils/util-linux/.