mirror of https://github.com/mkerrisk/man-pages
capabilities.7: Reorder text on capability bounding set
Reverse order of text blocks describing pre- and post-2.6.25 bounding set. No content changes. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
2e87ced3b5
commit
bb1f24fab8
|
@ -1224,36 +1224,6 @@ by executing a file that has the capability in its inheritable set.
|
||||||
Depending on the kernel version, the capability bounding set is either
|
Depending on the kernel version, the capability bounding set is either
|
||||||
a system-wide attribute, or a per-process attribute.
|
a system-wide attribute, or a per-process attribute.
|
||||||
.PP
|
.PP
|
||||||
.B "Capability bounding set prior to Linux 2.6.25"
|
|
||||||
.PP
|
|
||||||
In kernels before 2.6.25, the capability bounding set is a system-wide
|
|
||||||
attribute that affects all threads on the system.
|
|
||||||
The bounding set is accessible via the file
|
|
||||||
.IR /proc/sys/kernel/cap-bound .
|
|
||||||
(Confusingly, this bit mask parameter is expressed as a
|
|
||||||
signed decimal number in
|
|
||||||
.IR /proc/sys/kernel/cap-bound .)
|
|
||||||
.PP
|
|
||||||
Only the
|
|
||||||
.B init
|
|
||||||
process may set capabilities in the capability bounding set;
|
|
||||||
other than that, the superuser (more precisely: a process with the
|
|
||||||
.B CAP_SYS_MODULE
|
|
||||||
capability) may only clear capabilities from this set.
|
|
||||||
.PP
|
|
||||||
On a standard system the capability bounding set always masks out the
|
|
||||||
.B CAP_SETPCAP
|
|
||||||
capability.
|
|
||||||
To remove this restriction (dangerous!), modify the definition of
|
|
||||||
.B CAP_INIT_EFF_SET
|
|
||||||
in
|
|
||||||
.I include/linux/capability.h
|
|
||||||
and rebuild the kernel.
|
|
||||||
.PP
|
|
||||||
The system-wide capability bounding set feature was added
|
|
||||||
to Linux starting with kernel version 2.2.11.
|
|
||||||
.\"
|
|
||||||
.PP
|
|
||||||
.B "Capability bounding set from Linux 2.6.25 onward"
|
.B "Capability bounding set from Linux 2.6.25 onward"
|
||||||
.PP
|
.PP
|
||||||
From Linux 2.6.25, the
|
From Linux 2.6.25, the
|
||||||
|
@ -1303,6 +1273,36 @@ Removing a capability from the bounding set does not remove it
|
||||||
from the thread's inheritable set.
|
from the thread's inheritable set.
|
||||||
However it does prevent the capability from being added
|
However it does prevent the capability from being added
|
||||||
back into the thread's inheritable set in the future.
|
back into the thread's inheritable set in the future.
|
||||||
|
.PP
|
||||||
|
.B "Capability bounding set prior to Linux 2.6.25"
|
||||||
|
.PP
|
||||||
|
In kernels before 2.6.25, the capability bounding set is a system-wide
|
||||||
|
attribute that affects all threads on the system.
|
||||||
|
The bounding set is accessible via the file
|
||||||
|
.IR /proc/sys/kernel/cap-bound .
|
||||||
|
(Confusingly, this bit mask parameter is expressed as a
|
||||||
|
signed decimal number in
|
||||||
|
.IR /proc/sys/kernel/cap-bound .)
|
||||||
|
.PP
|
||||||
|
Only the
|
||||||
|
.B init
|
||||||
|
process may set capabilities in the capability bounding set;
|
||||||
|
other than that, the superuser (more precisely: a process with the
|
||||||
|
.B CAP_SYS_MODULE
|
||||||
|
capability) may only clear capabilities from this set.
|
||||||
|
.PP
|
||||||
|
On a standard system the capability bounding set always masks out the
|
||||||
|
.B CAP_SETPCAP
|
||||||
|
capability.
|
||||||
|
To remove this restriction (dangerous!), modify the definition of
|
||||||
|
.B CAP_INIT_EFF_SET
|
||||||
|
in
|
||||||
|
.I include/linux/capability.h
|
||||||
|
and rebuild the kernel.
|
||||||
|
.PP
|
||||||
|
The system-wide capability bounding set feature was added
|
||||||
|
to Linux starting with kernel version 2.2.11.
|
||||||
|
.\"
|
||||||
.\"
|
.\"
|
||||||
.\"
|
.\"
|
||||||
.SS Effect of user ID changes on capabilities
|
.SS Effect of user ID changes on capabilities
|
||||||
|
|
Loading…
Reference in New Issue