mirror of https://github.com/mkerrisk/man-pages
capabilities.7: srcfix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
6260f4cd27
commit
e574dcd0ac
|
@ -707,23 +707,25 @@ a program that has the corresponding bits set in the file inheritable set.
|
|||
Because inheritable capabilities are not generally preserved across
|
||||
.BR execve (2)
|
||||
when running as a non-root user, applications that wish to run helper
|
||||
programs with elevated capabilities should consider using ambient capabilities,
|
||||
described below.
|
||||
programs with elevated capabilities should consider using
|
||||
ambient capabilities, described below.
|
||||
.TP
|
||||
.IR Effective :
|
||||
This is the set of capabilities used by the kernel to
|
||||
perform permission checks for the thread.
|
||||
.TP
|
||||
.IR Ambient " (since Linux 4.3):"
|
||||
.\" commit 58319057b7847667f0c9585b9de0e8932b0fdb08
|
||||
This is a set of capabilities that are preserved across an
|
||||
.BR execve (2)
|
||||
of a program that does not have file capabilities. The ambient capability
|
||||
set obeys the invariant that no capability can ever be ambient if it is
|
||||
not both permitted and inheritable. Ambient capabilities are
|
||||
preserved in the permitted set and added to the effective
|
||||
set when
|
||||
of a program that does not have file capabilities.
|
||||
The ambient capability set obeys the invariant that no capability
|
||||
can ever be ambient if it is not both permitted and inheritable.
|
||||
Ambient capabilities are preserved in the permitted set and
|
||||
added to the effective set when
|
||||
.BR execve (2)
|
||||
is called. The ambient capability set is modified using
|
||||
is called.
|
||||
The ambient capability set is modified using
|
||||
.BR prctl (2).
|
||||
Executing a program that changes uid or gid due to the setuid or setgid
|
||||
bits or executing a program that has any file capabilities set will clear
|
||||
|
|
Loading…
Reference in New Issue