mirror of https://github.com/mkerrisk/man-pages
capabilities.7: Fix some imprecisions in discussion of namespaced file capabilities
The file UID does not come into play when creating a v3 security.capability extended attribute. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
9b2c207a33
commit
00ae99b028
|
@ -1532,17 +1532,13 @@ Namespaced file capabilities are recorded as version 3 (i.e.,
|
|||
.BR VFS_CAP_REVISION_3 )
|
||||
.I security.capability
|
||||
extended attributes.
|
||||
Such an attribute is automatically created when a process that resides
|
||||
in a noninitial user namespace associates
|
||||
.RB ( setxattr (2))
|
||||
file capabilities with a file whose user ID matches
|
||||
the user ID of the creator of the namespace.
|
||||
In this case,
|
||||
Such an attribute is automatically created in the circumstances described
|
||||
above under "File capability extended attribute versioning".
|
||||
When a version 3
|
||||
.I security.capability
|
||||
extended attribute is created,
|
||||
the kernel records not just the capability masks in the extended attribute,
|
||||
but also the namespace root user ID.
|
||||
For further details, see
|
||||
.IR "File capability mask versioning" ,
|
||||
above.
|
||||
.PP
|
||||
As with a binary that has
|
||||
.BR VFS_CAP_REVISION_2
|
||||
|
|
Loading…
Reference in New Issue