diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2016-10-18 09:50:16 +0200 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2016-10-18 10:46:54 +0200 |
| commit | 3bbab71ae8aa84bfbfbff05dc7bff955a5de85c0 (patch) | |
| tree | 6b9ab7c4f74be2f41eab64bf18f17b30415de556 | |
| parent | de6a5c050113756d43b9a4f6f5c1c9f2c54f823b (diff) | |
| download | man-pages-3bbab71ae8aa84bfbfbff05dc7bff955a5de85c0.tar.gz | |
capabilities.7: tfix + wfix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
| -rw-r--r-- | man7/capabilities.7 | 34 |
1 files changed, 30 insertions, 4 deletions
diff --git a/man7/capabilities.7 b/man7/capabilities.7 index 5b98d239ad..8f1b14943b 100644 --- a/man7/capabilities.7 +++ b/man7/capabilities.7 @@ -104,7 +104,7 @@ Bypass file read, write, and execute permission checks. Bypass file read permission checks and directory read and execute permission checks; .IP * -Invoke +invoke .BR open_by_handle_at (2). .RE .PD @@ -141,10 +141,16 @@ and .PD .TP .B CAP_FSETID +.PD 0 +.RS +.IP * 2 Don't clear set-user-ID and set-group-ID mode bits when a file is modified; +.IP * set the set-group-ID bit for a file whose GID does not match the filesystem or any of the supplementary GIDs of the calling process. +.RE +.PD .TP .B CAP_IPC_LOCK .\" FIXME . As at Linux 3.2, there are some strange uses of this capability @@ -249,10 +255,17 @@ bind to any address for transparent proxying. .\" Also various IP options and setsockopt(SO_BINDTODEVICE) .TP .B CAP_SETGID +.RS +.PD 0 +.IP * 2 Make arbitrary manipulations of process GIDs and supplementary GID list; +.IP * forge GID when passing socket credentials via UNIX domain sockets; +.IP * write a group ID mapping in a user namespace (see .BR user_namespaces (7)). +.PD +.RE .TP .BR CAP_SETFCAP " (since Linux 2.6.24)" Set file capabilities. @@ -279,14 +292,21 @@ make changes to the flags. .TP .B CAP_SETUID +.RS +.PD 0 +.IP * 2 Make arbitrary manipulations of process UIDs .RB ( setuid (2), .BR setreuid (2), .BR setresuid (2), .BR setfsuid (2)); +.IP * forge UID when passing socket credentials via UNIX domain sockets; +.IP * write a user ID mapping in a user namespace (see .BR user_namespaces (7)). +.PD +.RE .\" FIXME CAP_SETUID also an effect in exec(); document this. .TP .B CAP_SYS_ADMIN @@ -432,13 +452,19 @@ Use .BR chroot (2). .TP .B CAP_SYS_MODULE +.RS +.PD 0 +.IP * 2 Load and unload kernel modules (see .BR init_module (2) and .BR delete_module (2)); +.IP * in kernels before 2.6.25: drop capabilities from the system-wide capability bounding set. +.PD +.RE .TP .B CAP_SYS_NICE .PD 0 @@ -502,7 +528,7 @@ to arbitrary processes; transfer data to or from the memory of arbitrary processes using .BR process_vm_readv (2) and -.BR process_vm_writev (2). +.BR process_vm_writev (2); .IP * inspect processes using .BR kcmp (2). @@ -527,7 +553,7 @@ employ the operation; .IP * open devices for accessing x86 model-specific registers (MSRs, see -.BR msr (4)) +.BR msr (4)); .IP * update .IR /proc/sys/vm/mmap_min_addr ; @@ -606,7 +632,7 @@ override limit when creating POSIX message queues (see .BR mq_overview (7)); .IP * -employ +employ the .BR prctl (2) .B PR_SET_MM operation; |