mirror of https://github.com/mkerrisk/man-pages
capabilities.7: Reorder text on capability bounding set
Reverse order of text blocks describing pre- and post-2.6.25 bounding set. No content changes. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
2e87ced3b5
commit
bb1f24fab8
|
@ -1224,36 +1224,6 @@ by executing a file that has the capability in its inheritable set.
|
|||
Depending on the kernel version, the capability bounding set is either
|
||||
a system-wide attribute, or a per-process attribute.
|
||||
.PP
|
||||
.B "Capability bounding set prior to Linux 2.6.25"
|
||||
.PP
|
||||
In kernels before 2.6.25, the capability bounding set is a system-wide
|
||||
attribute that affects all threads on the system.
|
||||
The bounding set is accessible via the file
|
||||
.IR /proc/sys/kernel/cap-bound .
|
||||
(Confusingly, this bit mask parameter is expressed as a
|
||||
signed decimal number in
|
||||
.IR /proc/sys/kernel/cap-bound .)
|
||||
.PP
|
||||
Only the
|
||||
.B init
|
||||
process may set capabilities in the capability bounding set;
|
||||
other than that, the superuser (more precisely: a process with the
|
||||
.B CAP_SYS_MODULE
|
||||
capability) may only clear capabilities from this set.
|
||||
.PP
|
||||
On a standard system the capability bounding set always masks out the
|
||||
.B CAP_SETPCAP
|
||||
capability.
|
||||
To remove this restriction (dangerous!), modify the definition of
|
||||
.B CAP_INIT_EFF_SET
|
||||
in
|
||||
.I include/linux/capability.h
|
||||
and rebuild the kernel.
|
||||
.PP
|
||||
The system-wide capability bounding set feature was added
|
||||
to Linux starting with kernel version 2.2.11.
|
||||
.\"
|
||||
.PP
|
||||
.B "Capability bounding set from Linux 2.6.25 onward"
|
||||
.PP
|
||||
From Linux 2.6.25, the
|
||||
|
@ -1303,6 +1273,36 @@ Removing a capability from the bounding set does not remove it
|
|||
from the thread's inheritable set.
|
||||
However it does prevent the capability from being added
|
||||
back into the thread's inheritable set in the future.
|
||||
.PP
|
||||
.B "Capability bounding set prior to Linux 2.6.25"
|
||||
.PP
|
||||
In kernels before 2.6.25, the capability bounding set is a system-wide
|
||||
attribute that affects all threads on the system.
|
||||
The bounding set is accessible via the file
|
||||
.IR /proc/sys/kernel/cap-bound .
|
||||
(Confusingly, this bit mask parameter is expressed as a
|
||||
signed decimal number in
|
||||
.IR /proc/sys/kernel/cap-bound .)
|
||||
.PP
|
||||
Only the
|
||||
.B init
|
||||
process may set capabilities in the capability bounding set;
|
||||
other than that, the superuser (more precisely: a process with the
|
||||
.B CAP_SYS_MODULE
|
||||
capability) may only clear capabilities from this set.
|
||||
.PP
|
||||
On a standard system the capability bounding set always masks out the
|
||||
.B CAP_SETPCAP
|
||||
capability.
|
||||
To remove this restriction (dangerous!), modify the definition of
|
||||
.B CAP_INIT_EFF_SET
|
||||
in
|
||||
.I include/linux/capability.h
|
||||
and rebuild the kernel.
|
||||
.PP
|
||||
The system-wide capability bounding set feature was added
|
||||
to Linux starting with kernel version 2.2.11.
|
||||
.\"
|
||||
.\"
|
||||
.\"
|
||||
.SS Effect of user ID changes on capabilities
|
||||
|
|
Loading…
Reference in New Issue