capabilities.7: Clarify the effect on process capabilities when UID 0 does execve(2)

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man7/capabilities.7

@@ -1032,26 +1032,34 @@ using capability sets, during an
 .BR execve (2):
 .IP 1. 3
 If a set-user-ID-root program is being executed,
-or the real user ID of the process is 0 (root)
+or the real or effective user ID of the process is 0 (root)
 then the file inheritable and permitted sets are defined to be all ones
 (i.e., all capabilities enabled).
 .IP 2.
 If a set-user-ID-root program is being executed,
+or the effective user ID of the process is 0 (root)
 then the file effective bit is defined to be one (enabled).
 .PP
 The upshot of the above rules,
 combined with the capabilities transformations described above,
-is that when a process
+is as follows:
+.IP * 3
+When a process
 .BR execve (2)s
 a set-user-ID-root program, or when a process with an effective UID of 0
 .BR execve (2)s
 a program,
 it gains all capabilities in its permitted and effective capability sets,
 except those masked out by the capability bounding set.
-.\" If a process with real UID 0, and nonzero effective UID does an
-.\" exec(), then it gets all capabilities in its
-.\" permitted set, and no effective capabilities
-This provides semantics that are the same as those provided by
+.IP *
+When a process with a real UID of 0
+.BR execve (2)s
+a program,
+it gains all capabilities in its permitted capability set,
+.\" but no effective capabilities
+except those masked out by the capability bounding set.
+.PP
+The above steps yield semantics that are the same as those provided by
 traditional UNIX systems.
 .SS Capability bounding set
 The capability bounding set is a security mechanism that can be used