LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

capabilities.7: srcfix: Removed FIXME 

No credential match of file UID and namespace creator UID
is needed to create a v3 security extended attribute.

Verified by experiment using my userns_child_exec.c and
show_creds.c programs (available on http://man7.org/tlpi/code):

    $ sudo setcap cap_setuid,cap_dac_override=pe \
            ./userns_child_exec
    $ ./userns_child_exec -U -r setcap cap_kill=pe show_creds
    $ ./userns_child_exec -U -M '0 1000 10' -G '0 1000 1' \
            -s 1 ./show_creds
    eUID = 1;  eGID = 0;  capabilities: = cap_kill+ep

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2018-07-01 10:56:24 +02:00
parent 737002259f
commit 54254ef33a
1 changed files with 0 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
man7/capabilities.7
View File

@ -1016,9 +1016,6 @@ meaning that (a) the thread has the
capability in its own user namespace;
and (b) the UID and GID of the file inode have mappings in
the writer's user namespace.
.\" FIXME
.\" Does there also need to be some kind of credential match
.\" between the file and the namespace creator UID?
.PP
When a
.BR VFS_CAP_REVISION_3