man: describe how to reverse systemd-nspawn -U

Now that systemd-nspawn@.service includes -U, more users might be interested
in this tidbit ;)

man/systemd-nspawn.xml

@@ -453,17 +453,6 @@
         except in the file ownership of the files and directories of the container.</para></listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><option>-U</option></term>
-
-        <listitem><para>If the kernel supports the user namespaces feature, equivalent to
-        <option>--private-users=pick</option>, otherwise equivalent to
-        <option>--private-users=no</option>.</para>
-
-        <para>Note that <option>-U</option> is the default if the <filename>systemd-nspawn@.service</filename> template unit
-        file is used.</para></listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><option>--private-users-chown</option></term>
 
@@ -476,6 +465,23 @@
         user namespacing is not used.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>-U</option></term>
+
+        <listitem><para>If the kernel supports the user namespaces feature, equivalent to
+        <option>--private-users=pick --private-users-chown</option>, otherwise equivalent to
+        <option>--private-users=no</option>.</para>
+
+        <para>Note that <option>-U</option> is the default if the
+        <filename>systemd-nspawn@.service</filename> template unit file is used.</para>
+
+        <para>Note: it is possible to undo the effect of <option>--private-users-chown</option> (or
+        <option>-U</option>) on the file system by redoing the operation with the first UID of 0:</para>
+
+        <programlisting>systemd-nspawn … --private-users=0 --private-users-chown</programlisting>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>--private-network</option></term>