LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

capabilities.7: Reorder text on capability bounding set 

Reverse order of text blocks describing pre- and
post-2.6.25 bounding set. No content changes.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2018-05-01 13:00:16 +02:00
parent 2e87ced3b5
commit bb1f24fab8
1 changed files with 30 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
man7/capabilities.7
View File

@ -1224,36 +1224,6 @@ by executing a file that has the capability in its inheritable set.
Depending on the kernel version, the capability bounding set is either
a system-wide attribute, or a per-process attribute.
.PP
.B "Capability bounding set prior to Linux 2.6.25"
.PP
In kernels before 2.6.25, the capability bounding set is a system-wide
attribute that affects all threads on the system.
The bounding set is accessible via the file
.IR /proc/sys/kernel/cap-bound .
(Confusingly, this bit mask parameter is expressed as a
signed decimal number in
.IR /proc/sys/kernel/cap-bound .)
.PP
Only the
.B init
process may set capabilities in the capability bounding set;
other than that, the superuser (more precisely: a process with the
.B CAP_SYS_MODULE
capability) may only clear capabilities from this set.
.PP
On a standard system the capability bounding set always masks out the
.B CAP_SETPCAP
capability.
To remove this restriction (dangerous!), modify the definition of
.B CAP_INIT_EFF_SET
in
.I include/linux/capability.h
and rebuild the kernel.
.PP
The system-wide capability bounding set feature was added
to Linux starting with kernel version 2.2.11.
.\"
.PP
.B "Capability bounding set from Linux 2.6.25 onward"
.PP
From Linux 2.6.25, the
@ -1303,6 +1273,36 @@ Removing a capability from the bounding set does not remove it
from the thread's inheritable set.
However it does prevent the capability from being added
back into the thread's inheritable set in the future.
.PP
.B "Capability bounding set prior to Linux 2.6.25"
.PP
In kernels before 2.6.25, the capability bounding set is a system-wide
attribute that affects all threads on the system.
The bounding set is accessible via the file
.IR /proc/sys/kernel/cap-bound .
(Confusingly, this bit mask parameter is expressed as a
signed decimal number in
.IR /proc/sys/kernel/cap-bound .)
.PP
Only the
.B init
process may set capabilities in the capability bounding set;
other than that, the superuser (more precisely: a process with the
.B CAP_SYS_MODULE
capability) may only clear capabilities from this set.
.PP
On a standard system the capability bounding set always masks out the
.B CAP_SETPCAP
capability.
To remove this restriction (dangerous!), modify the definition of
.B CAP_INIT_EFF_SET
in
.I include/linux/capability.h
and rebuild the kernel.
.PP
The system-wide capability bounding set feature was added
to Linux starting with kernel version 2.2.11.
.\"
.\"
.\"
.SS Effect of user ID changes on capabilities