mirror of https://github.com/mkerrisk/man-pages
capabilities.7: Clarify the effect on process capabilities when UID 0 does execve(2)
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
e3ed67ed2e
commit
ab8aa2e422
|
@ -1032,26 +1032,34 @@ using capability sets, during an
|
|||
.BR execve (2):
|
||||
.IP 1. 3
|
||||
If a set-user-ID-root program is being executed,
|
||||
or the real user ID of the process is 0 (root)
|
||||
or the real or effective user ID of the process is 0 (root)
|
||||
then the file inheritable and permitted sets are defined to be all ones
|
||||
(i.e., all capabilities enabled).
|
||||
.IP 2.
|
||||
If a set-user-ID-root program is being executed,
|
||||
or the effective user ID of the process is 0 (root)
|
||||
then the file effective bit is defined to be one (enabled).
|
||||
.PP
|
||||
The upshot of the above rules,
|
||||
combined with the capabilities transformations described above,
|
||||
is that when a process
|
||||
is as follows:
|
||||
.IP * 3
|
||||
When a process
|
||||
.BR execve (2)s
|
||||
a set-user-ID-root program, or when a process with an effective UID of 0
|
||||
.BR execve (2)s
|
||||
a program,
|
||||
it gains all capabilities in its permitted and effective capability sets,
|
||||
except those masked out by the capability bounding set.
|
||||
.\" If a process with real UID 0, and nonzero effective UID does an
|
||||
.\" exec(), then it gets all capabilities in its
|
||||
.\" permitted set, and no effective capabilities
|
||||
This provides semantics that are the same as those provided by
|
||||
.IP *
|
||||
When a process with a real UID of 0
|
||||
.BR execve (2)s
|
||||
a program,
|
||||
it gains all capabilities in its permitted capability set,
|
||||
.\" but no effective capabilities
|
||||
except those masked out by the capability bounding set.
|
||||
.PP
|
||||
The above steps yield semantics that are the same as those provided by
|
||||
traditional UNIX systems.
|
||||
.SS Capability bounding set
|
||||
The capability bounding set is a security mechanism that can be used
|
||||
|
|
Loading…
Reference in New Issue