From bb1f24fab8b9a561c17675efe281a61ecb589315 Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Tue, 1 May 2018 13:00:16 +0200 Subject: [PATCH] capabilities.7: Reorder text on capability bounding set Reverse order of text blocks describing pre- and post-2.6.25 bounding set. No content changes. Signed-off-by: Michael Kerrisk --- man7/capabilities.7 | 60 ++++++++++++++++++++++----------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/man7/capabilities.7 b/man7/capabilities.7 index 547dc226f..beb8f43e1 100644 --- a/man7/capabilities.7 +++ b/man7/capabilities.7 @@ -1224,36 +1224,6 @@ by executing a file that has the capability in its inheritable set. Depending on the kernel version, the capability bounding set is either a system-wide attribute, or a per-process attribute. .PP -.B "Capability bounding set prior to Linux 2.6.25" -.PP -In kernels before 2.6.25, the capability bounding set is a system-wide -attribute that affects all threads on the system. -The bounding set is accessible via the file -.IR /proc/sys/kernel/cap-bound . -(Confusingly, this bit mask parameter is expressed as a -signed decimal number in -.IR /proc/sys/kernel/cap-bound .) -.PP -Only the -.B init -process may set capabilities in the capability bounding set; -other than that, the superuser (more precisely: a process with the -.B CAP_SYS_MODULE -capability) may only clear capabilities from this set. -.PP -On a standard system the capability bounding set always masks out the -.B CAP_SETPCAP -capability. -To remove this restriction (dangerous!), modify the definition of -.B CAP_INIT_EFF_SET -in -.I include/linux/capability.h -and rebuild the kernel. -.PP -The system-wide capability bounding set feature was added -to Linux starting with kernel version 2.2.11. -.\" -.PP .B "Capability bounding set from Linux 2.6.25 onward" .PP From Linux 2.6.25, the @@ -1303,6 +1273,36 @@ Removing a capability from the bounding set does not remove it from the thread's inheritable set. However it does prevent the capability from being added back into the thread's inheritable set in the future. +.PP +.B "Capability bounding set prior to Linux 2.6.25" +.PP +In kernels before 2.6.25, the capability bounding set is a system-wide +attribute that affects all threads on the system. +The bounding set is accessible via the file +.IR /proc/sys/kernel/cap-bound . +(Confusingly, this bit mask parameter is expressed as a +signed decimal number in +.IR /proc/sys/kernel/cap-bound .) +.PP +Only the +.B init +process may set capabilities in the capability bounding set; +other than that, the superuser (more precisely: a process with the +.B CAP_SYS_MODULE +capability) may only clear capabilities from this set. +.PP +On a standard system the capability bounding set always masks out the +.B CAP_SETPCAP +capability. +To remove this restriction (dangerous!), modify the definition of +.B CAP_INIT_EFF_SET +in +.I include/linux/capability.h +and rebuild the kernel. +.PP +The system-wide capability bounding set feature was added +to Linux starting with kernel version 2.2.11. +.\" .\" .\" .SS Effect of user ID changes on capabilities