Hi Yubin,
On 11 October 2017 at 03:53, Yubin Ruan <ablacktshirt@xxxxxxxxx> wrote:
> Thanks Michael,
>
> 2017-10-11 0:58 GMT+08:00 Michael Kerrisk (man-pages) <mtk.manpages@xxxxxxxxx>:
>> Hello Yubin,
>>
>> On 10 October 2017 at 15:48, Yubin Ruan <ablacktshirt@xxxxxxxxx> wrote:
>>> Hi,
>>> In ld.so(8), when explaining whether a process is in the so-called
>>> "secure execution mode", there are three circumstances:
>>>
>>> * The process's real and effective user IDs differ, or the real and
>>> effective group IDs differ. This typically occurs as a result of
>>> executing a set-user-ID or set-group-ID program.
>>>
>>> * A process with a non-root user ID executed a binary that conferred
>>> permitted or effective capabilities.
>>>
>>> * A nonzero value may have been set by a Linux Security Module.
>>>
>>> I am confused with the second circumstance. What does it mean by
>>> "confer permitted or effective capabilities"?
>>
>> Maybe this is a language issue. Doe it make more sense as:
>>
>> " A process with a non-root user ID executed a binary that conferred
>> capabilities to the process's permitted or effective capability set."
>
> Yes this makes more sense. But I am still confused with why this is. I
> mean, "a binary that conferred capabilities to the process's permitted
> or effective capability set", is a very very normal scenario. What
> does it really mean by "the process's permitted or effective
> capability set". For me, that is just _any_ capability set, which is
> not that rational...
Agreed. I simplified the sentence to say just:
* A process with a non-root user ID executed a binary that
conferred capabilities to the process.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
