diff --git a/man7/capabilities.7 b/man7/capabilities.7
index a65d58093..2a6a0f079 100644
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -1186,25 +1186,34 @@ API.
 .SS Capabilities and execution of programs by root
 .\" See cap_bprm_set_creds() and handle_privileged_root() in
 .\" security/commoncap.c (Linux 5.0 source)
-In order to provide an all-powerful
-.I root
-using capability sets, during an
-.BR execve (2):
+In order to mirror traditional UNIX semantics,
+execution of programs by root (UID 0)
+as well as execution of set-user-ID-root programs
+result in special treatment of capabilities during an
+.BR execve (2).
+.PP
+When a process with nonzero UIDs executes a binary:
 .IP 1. 3
-If a set-user-ID-root program is being executed,
-or the real or effective user ID of the process is 0 (root)
+If the real or effective user ID of the process is 0 (root),
 then the file inheritable and permitted sets are defined to be all ones
 (i.e., all capabilities enabled).
 .IP 2.
-If a set-user-ID-root program is being executed,
-or the effective user ID of the process is 0 (root)
+If the effective user ID of the process is 0 (root) or
+the file effective bit is in fact enabled,
 then the file effective bit is defined to be one (enabled).
 .PP
+If a process with nonzero user IDs executes a set-user-ID-root binary
+that does not have attached capabilities,
+the file capability sets are considered to be all ones.
+(See below for a discussion of what happens
+when a process with nonzero UIDs executes a binary
+that is both set-user-ID root and has attached file capabilities.)
+.PP
 The upshot of the above rules,
 combined with the capabilities transformations described above,
 is as follows:
 .IP * 3
-When a process
+When a process with nonzero UIDs
 .BR execve (2)s
 a set-user-ID-root program, or when a process with an effective UID of 0
 .BR execve (2)s
@@ -1218,17 +1227,22 @@ a program,
 it gains all capabilities in its permitted capability set,
 .\" but no effective capabilities
 except those masked out by the capability bounding set.
+If, in addition, the file permitted capability bit is on,
+the process's new permitted capabilities are also assigned
+to its effective set.
 .PP
-The above steps yield semantics that are the same as those provided by
-traditional UNIX systems.
+The above special treatments of user ID 0 can be disabled using the
+securebits mechanism described below.
 .\"
 .SS Set-user-ID-root programs that have file capabilities
 Executing a program that is both set-user-ID root and has
-file capabilities will cause the process to gain just the
+file capabilities iby a process that has nonzero UIDs
+will cause the process to gain just the
 capabilities granted by the program
 (i.e., not all capabilities,
 as would occur when executing a set-user-ID-root program
 that does not have any associated file capabilities).
+.PP
 Note that one can assign empty capability sets to a program file,
 and thus it is possible to create a set-user-ID-root program that
 changes the effective and saved set-user-ID of the process