The kernel imposes various restrictions on the changes that can be made to the inheritable, ambient, and bounding sets. Warn the user about that. Signed-off-by: Michael Kerrisk (man-pages) <mtk.manpages@xxxxxxxxx> --- sys-utils/setpriv.1 | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/sys-utils/setpriv.1 b/sys-utils/setpriv.1 index 3794a917e..42d1a2fb9 100644 --- a/sys-utils/setpriv.1 +++ b/sys-utils/setpriv.1 @@ -65,6 +65,22 @@ the current ambient set for and the current bounding set for .BR \-\-bounding\-set . .IP +Note the following restrictions (detailed in +.BR capabilities (7)) +regarding modifications to these capability sets: +.RS +.IP * 2 +A capability can be added to the inheritable set only if it is +currently present in the bounding set. +.IP * +A capability can be added to the ambient set only if it is currently +present in both the permitted and inheritable sets. +.IP * +Notwithstanding the syntax offered by +.BR setpriv , +the kernel does not permit capabilities to be added to the bounding set. +.RE +.IP If you drop a capability from the bounding set without also dropping it from the inheritable set, you are likely to become confused. Do not do that. .TP -- 2.26.2
