diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2018-07-01 10:56:24 +0200 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2018-07-01 11:42:07 +0200 |
| commit | 54254ef33a2f5ebf0c82ee6cc556935ae20aefa4 (patch) | |
| tree | 1d5ae7e767dfba6b150b0839ad2b82a1b10d37b8 /man7 | |
| parent | 737002259ff6e9940b07fcf95e91b141cfad884b (diff) | |
| download | man-pages-54254ef33a2f5ebf0c82ee6cc556935ae20aefa4.tar.gz | |
capabilities.7: srcfix: Removed FIXME
No credential match of file UID and namespace creator UID
is needed to create a v3 security extended attribute.
Verified by experiment using my userns_child_exec.c and
show_creds.c programs (available on http://man7.org/tlpi/code):
$ sudo setcap cap_setuid,cap_dac_override=pe \
./userns_child_exec
$ ./userns_child_exec -U -r setcap cap_kill=pe show_creds
$ ./userns_child_exec -U -M '0 1000 10' -G '0 1000 1' \
-s 1 ./show_creds
eUID = 1; eGID = 0; capabilities: = cap_kill+ep
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man7')
| -rw-r--r-- | man7/capabilities.7 | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/man7/capabilities.7 b/man7/capabilities.7 index 6b24785fb6..a9b3687d02 100644 --- a/man7/capabilities.7 +++ b/man7/capabilities.7 @@ -1016,9 +1016,6 @@ meaning that (a) the thread has the capability in its own user namespace; and (b) the UID and GID of the file inode have mappings in the writer's user namespace. -.\" FIXME -.\" Does there also need to be some kind of credential match -.\" between the file and the namespace creator UID? .PP When a .BR VFS_CAP_REVISION_3 |