diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2018-05-01 13:11:36 +0200 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2018-05-01 13:55:37 +0200 |
| commit | ddc1ad3079e6bebdba532521d376eae1341e581a (patch) | |
| tree | 7a65ae2cf1b981d572928ce63cb8f4911e4535c4 /man7 | |
| parent | 7c957134f1cc7d0e01cc2946c1adcd5151b634bc (diff) | |
| download | man-pages-ddc1ad3079e6bebdba532521d376eae1341e581a.tar.gz | |
capabilities.7: Add background details on capability transformations during execve(2)
Add background details on ambient and bounding set when
discussing capability transformations during execve(2).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man7')
| -rw-r--r-- | man7/capabilities.7 | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/man7/capabilities.7 b/man7/capabilities.7 index bcb1e0be24..18cf9b1119 100644 --- a/man7/capabilities.7 +++ b/man7/capabilities.7 @@ -1080,8 +1080,21 @@ denotes the value of a thread capability set after the denotes a file capability set .RE .PP -A privileged file is one that has capabilities or +Note the following details relating to the above capability +transformation rules: +.IP * 3 +The ambient capability set is present only since Linux 4.3. +When determining the transformation of the ambient set during +.BR execve (2), +a privileged file is one that has capabilities or has the set-user-ID or set-group-ID bit set. +.IP * +Prior to Linux 2.6.25, +the bounding set was a system-wide attribute shared by all threads. +That system-wide value was employed to calculate the new permitted set during +.BR execve (2) +in the same manner as shown above for +.IR P(bounding) . .PP .IR Note : the capability transitions described above may |