LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

capabilities.7: Fix some imprecisions in discussion of namespaced file capabilities 

The file UID does not come into play when creating a v3
security.capability extended attribute.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2018-07-01 11:40:26 +02:00
parent 9b2c207a33
commit 00ae99b028
1 changed files with 5 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
man7/capabilities.7
View File

@ -1532,17 +1532,13 @@ Namespaced file capabilities are recorded as version 3 (i.e.,
.BR VFS_CAP_REVISION_3 ) .BR VFS_CAP_REVISION_3 )
.I security.capability .I security.capability
extended attributes. extended attributes.
Such an attribute is automatically created when a process that resides Such an attribute is automatically created in the circumstances described
in a noninitial user namespace associates above under "File capability extended attribute versioning".
.RB ( setxattr (2)) When a version 3
file capabilities with a file whose user ID matches .I security.capability
the user ID of the creator of the namespace. extended attribute is created,
In this case,
the kernel records not just the capability masks in the extended attribute, the kernel records not just the capability masks in the extended attribute,
but also the namespace root user ID. but also the namespace root user ID.
For further details, see
.IR "File capability mask versioning" ,
above.
.PP .PP
As with a binary that has As with a binary that has
.BR VFS_CAP_REVISION_2 .BR VFS_CAP_REVISION_2