Hello Samuel,
On 4/22/19 3:34 PM, Samuel Karp wrote:
Permitted and Effective capability sets describe bounds that the kernel
enforces for the current thread. Bounding, Inheritable, and Ambient
capability sets describe bounds that apply across the execve(2)
boundary.
I think the reordering you propose doesn't really help the reader.
On the one hand, I see the distinction you want to draw, but it
is not so simple (for example, the bounding set limits some process
actions also, in particular, the modifications that can be made to
the inheritable set). And simply reordering the text doesn't really
give the reader much clue about the distinction you have in mind.
Signed-off-by: Samuel Karp <skarp@xxxxxxxxxx>
---
man7/capabilities.7 | 30 ++++++++++++++++--------------
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/man7/capabilities.7 b/man7/capabilities.7
index 9f7ee670a..2776b1f8b 100644
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -46,6 +46,8 @@
.\" 2011-09-07, mtk/Serge hallyn: Add CAP_SYSLOG
.\" 2019-04-10, Samuel Karp <skarp@xxxxxxxxxx>
.\" Clarify wording for Inheritable thread capability sets.
+.\" Reorganize thread capability sets to group total bounds and inheritance
+.\" together.
.\"
.TH CAPABILITIES 7 2019-03-06 "Linux" "Linux Programmer's Manual"
.SH NAME
@@ -831,20 +833,6 @@ it can never reacquire that capability (unless it
either a set-user-ID-root program, or
a program whose associated file capabilities grant that capability).
.TP
-.IR Inheritable
-This is a set of capabilities preserved across an
-.BR execve (2)
-when running as a root user.
-Inheritable capabilities remain inheritable when executing any program,
-and inheritable capabilities are added to the permitted set when executing
-a program that has the corresponding bits set in the file inheritable set.
-.IP
-Because inheritable capabilities are not generally preserved across
-.BR execve (2)
See my comment on your earlier patch. Inheritable capabilities operate
independently of UID 0.
-when running as a non-root user, applications that wish to run helper
-programs with elevated capabilities should consider using
-ambient capabilities, described below.
-.TP
.IR Effective
This is the set of capabilities used by the kernel to
perform permission checks for the thread.
@@ -861,6 +849,20 @@ shared by all threads on the system.
.IP
For more details on the capability bounding set, see below.
.TP
+.IR Inheritable
+This is a set of capabilities preserved across an
+.BR execve (2)
+when running as a root user.
No. See above.
+Inheritable capabilities remain inheritable when executing any program,
+and inheritable capabilities are added to the permitted set when executing
+a program that has the corresponding bits set in the file inheritable set.
+.IP
+Because inheritable capabilities are not generally preserved across
+.BR execve (2)
+when running as a non-root user,
This is not correct.
applications that wish to run helper
+programs with elevated capabilities should consider using
+ambient capabilities, described below.
+.TP
.IR Ambient " (since Linux 4.3)"
.\" commit 58319057b7847667f0c9585b9de0e8932b0fdb08
This is a set of capabilities that are preserved across an
Thanks,
Michael
