mirror of https://github.com/mkerrisk/man-pages
capabilities.7: Fix some imprecisions in discussion of namespaced file capabilities
The file UID does not come into play when creating a v3 security.capability extended attribute. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
9b2c207a33
commit
00ae99b028
|
@ -1532,17 +1532,13 @@ Namespaced file capabilities are recorded as version 3 (i.e.,
|
||||||
.BR VFS_CAP_REVISION_3 )
|
.BR VFS_CAP_REVISION_3 )
|
||||||
.I security.capability
|
.I security.capability
|
||||||
extended attributes.
|
extended attributes.
|
||||||
Such an attribute is automatically created when a process that resides
|
Such an attribute is automatically created in the circumstances described
|
||||||
in a noninitial user namespace associates
|
above under "File capability extended attribute versioning".
|
||||||
.RB ( setxattr (2))
|
When a version 3
|
||||||
file capabilities with a file whose user ID matches
|
.I security.capability
|
||||||
the user ID of the creator of the namespace.
|
extended attribute is created,
|
||||||
In this case,
|
|
||||||
the kernel records not just the capability masks in the extended attribute,
|
the kernel records not just the capability masks in the extended attribute,
|
||||||
but also the namespace root user ID.
|
but also the namespace root user ID.
|
||||||
For further details, see
|
|
||||||
.IR "File capability mask versioning" ,
|
|
||||||
above.
|
|
||||||
.PP
|
.PP
|
||||||
As with a binary that has
|
As with a binary that has
|
||||||
.BR VFS_CAP_REVISION_2
|
.BR VFS_CAP_REVISION_2
|
||||||
|
|
Loading…
Reference in New Issue