From ab8aa2e422df47dfd42caf83963452ee745f3bf6 Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Thu, 4 May 2017 19:38:50 +0200 Subject: [PATCH] capabilities.7: Clarify the effect on process capabilities when UID 0 does execve(2) Signed-off-by: Michael Kerrisk --- man7/capabilities.7 | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/man7/capabilities.7 b/man7/capabilities.7 index c700086e8..de7acffaa 100644 --- a/man7/capabilities.7 +++ b/man7/capabilities.7 @@ -1032,26 +1032,34 @@ using capability sets, during an .BR execve (2): .IP 1. 3 If a set-user-ID-root program is being executed, -or the real user ID of the process is 0 (root) +or the real or effective user ID of the process is 0 (root) then the file inheritable and permitted sets are defined to be all ones (i.e., all capabilities enabled). .IP 2. If a set-user-ID-root program is being executed, +or the effective user ID of the process is 0 (root) then the file effective bit is defined to be one (enabled). .PP The upshot of the above rules, combined with the capabilities transformations described above, -is that when a process +is as follows: +.IP * 3 +When a process .BR execve (2)s a set-user-ID-root program, or when a process with an effective UID of 0 .BR execve (2)s a program, it gains all capabilities in its permitted and effective capability sets, except those masked out by the capability bounding set. -.\" If a process with real UID 0, and nonzero effective UID does an -.\" exec(), then it gets all capabilities in its -.\" permitted set, and no effective capabilities -This provides semantics that are the same as those provided by +.IP * +When a process with a real UID of 0 +.BR execve (2)s +a program, +it gains all capabilities in its permitted capability set, +.\" but no effective capabilities +except those masked out by the capability bounding set. +.PP +The above steps yield semantics that are the same as those provided by traditional UNIX systems. .SS Capability bounding set The capability bounding set is a security mechanism that can be used