capabilities.7: Note semantics for a program that is set-UID-root and has capabilities

Note semantics for a program that is both set-user-ID-root and has file capabilities. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
author: Michael Kerrisk <mtk.manpages@gmail.com> 2017-07-18 22:41:37 +0200
committer: Michael Kerrisk <mtk.manpages@gmail.com> 2017-07-18 22:41:37 +0200
commit: 0603dda3f2968f9e4526015a993e111d0b9ef70c (patch)
tree: 2e930d3fc4f7c25b007d301d5d24323a71fb1b7a /man7/capabilities.7
parent: f612b4886986bc06c0cef680127a5a23e1025404 (diff)
download: man-pages-0603dda3f2968f9e4526015a993e111d0b9ef70c.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/man7/capabilities.7 b/man7/capabilities.7
index 3d4e23e51b..4c822a0bba 100644
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -1061,6 +1061,15 @@ except those masked out by the capability bounding set.
 .PP
 The above steps yield semantics that are the same as those provided by
 traditional UNIX systems.
+.\"
+.SS Set-user-ID-root programs that have file capabilities
+Executing a program that is both set-user-ID root and has
+file capabilities will cause the process to gain just the
+capabilities granted by the program
+(i.e., not all capabilities,
+as would occur when executing a set-user-ID-root program
+that does not have any associated file capabilities).
+.\"
 .SS Capability bounding set
 The capability bounding set is a security mechanism that can be used
 to limit the capabilities that can be gained during an
author	Michael Kerrisk <mtk.manpages@gmail.com>	2017-07-18 22:41:37 +0200
committer	Michael Kerrisk <mtk.manpages@gmail.com>	2017-07-18 22:41:37 +0200
commit	0603dda3f2968f9e4526015a993e111d0b9ef70c (patch)
tree	2e930d3fc4f7c25b007d301d5d24323a71fb1b7a /man7/capabilities.7
parent	f612b4886986bc06c0cef680127a5a23e1025404 (diff)
download	man-pages-0603dda3f2968f9e4526015a993e111d0b9ef70c.tar.gz