.\" other capabilities where the permitted or inheritable bit is set.
.\" 2011-09-07, mtk/Serge hallyn: Add CAP_SYSLOG
.\"
-.TH CAPABILITIES 7 2013-03-11 "Linux" "Linux Programmer's Manual"
+.TH CAPABILITIES 7 2014-04-09 "Linux" "Linux Programmer's Manual"
.SH NAME
capabilities \- overview of Linux capabilities
.SH DESCRIPTION
(DAC is an abbreviation of "discretionary access control".)
.TP
.B CAP_DAC_READ_SEARCH
+.PD 0
+.RS
+.IP * 2
Bypass file read permission checks and
-directory read and execute permission checks.
+directory read and execute permission checks;
+.IP *
+Invoke
+.BR open_by_handle_at (2).
+.RE
+.PD
+
.TP
.B CAP_FOWNER
.PD 0
.RS
.IP * 2
Bypass permission checks on operations that normally
-require the file system UID of the process to match the UID of
+require the filesystem UID of the process to match the UID of
the file (e.g.,
.BR chmod (2),
.BR utime (2)),
Don't clear set-user-ID and set-group-ID permission
bits when a file is modified;
set the set-group-ID bit for a file whose GID does not match
-the file system or any of the supplementary GIDs of the calling process.
+the filesystem or any of the supplementary GIDs of the calling process.
.TP
.B CAP_IPC_LOCK
.\" FIXME As at Linux 3.2, there are some strange uses of this capability
.IP * 2
interface configuration;
.IP *
-administration of IP firewall, masquerading, and accounting
+administration of IP firewall, masquerading, and accounting;
.IP *
modify routing tables;
.IP *
.BR ioctl (2)
operations;
.IP *
-perform various privileged file-system
+perform various privileged filesystem
.BR ioctl (2)
operations;
.IP *
.IR /proc/sys/vm/mmap_min_addr ;
.IP *
map files in
-.IR /proc/pci/bus ;
+.IR /proc/bus/pci ;
.IP *
open
.IR /dev/mem
.PD 0
.RS
.IP * 2
-Use reserved space on ext2 file systems;
+Use reserved space on ext2 filesystems;
.IP *
make
.BR ioctl (2)
.BR prctl (2)
.B PR_SET_MM
operation;
+.IP *
set
.IR /proc/PID/oom_score_adj
to a value lower than the value last set by a process with
The kernel must provide system calls allowing a thread's capability sets to
be changed and retrieved.
.IP 3.
-The file system must support attaching capabilities to an executable file,
+The filesystem must support attaching capabilities to an executable file,
so that a process gains those capabilities when the file is executed.
.PP
Before kernel 2.6.24, only the first two of these requirements are met;
Using
.BR capset (2),
a thread may manipulate its own capability sets (see below).
+.PP
+Since Linux 3.2, the file
+.I /proc/sys/kernel/cap_last_cap
+.\" commit 73efc0394e148d0e15583e13712637831f926720
+exposes the numerical value of the highest capability
+supported by the running kernel;
+this can be used to determine the highest bit
+that may be set in a capability set.
.\"
.SS File capabilities
Since kernel 2.6.24, the kernel supports
.B PR_CAPBSET_READ
operation.
-Removing capabilities from the bounding set is only supported if file
+Removing capabilities from the bounding set is supported only if file
capabilities are compiled into the kernel.
In kernels before Linux 2.6.33,
file capabilities were an optional feature configurable via the
0 and nonzero user IDs,
the kernel makes the following changes to a thread's capability
sets on changes to the thread's real, effective, saved set,
-and file system user IDs (using
+and filesystem user IDs (using
.BR setuid (2),
.BR setresuid (2),
or similar):
If the effective user ID is changed from nonzero to 0,
then the permitted set is copied to the effective set.
.IP 4.
-If the file system user ID is changed from 0 to nonzero (see
-.BR setfsuid (2))
+If the filesystem user ID is changed from 0 to nonzero (see
+.BR setfsuid (2)),
then the following capabilities are cleared from the effective set:
.BR CAP_CHOWN ,
.BR CAP_DAC_OVERRIDE ,
.BR CAP_FOWNER ,
.BR CAP_FSETID ,
.B CAP_LINUX_IMMUTABLE
-(since Linux 2.2.30),
+(since Linux 2.6.30),
.BR CAP_MAC_OVERRIDE ,
and
.B CAP_MKNOD
-(since Linux 2.2.30).
-If the file system UID is changed from nonzero to 0,
+(since Linux 2.6.30).
+If the filesystem UID is changed from nonzero to 0,
then any of these capabilities that are enabled in the permitted set
are enabled in the effective set.
.PP
the new inheritable set must be a subset of the combination
of the existing inheritable and permitted sets.
.IP 2.
-(Since kernel 2.6.25)
+(Since Linux 2.6.25)
The new inheritable set must be a subset of the combination of the
existing inheritable set and the capability bounding set.
.IP 3.
.TP
.B SECBIT_NO_SETUID_FIXUP
Setting this flag stops the kernel from adjusting capability sets when
-the threads's effective and file system UIDs are switched between
+the threads's effective and filesystem UIDs are switched between
zero and nonzero values.
(See the subsection
.IR "Effect of User ID Changes on Capabilities" .)
enabled (1) in these sets.
Since Linux 3.8,
.\" 7b9a7ec565505699f503b4fcf61500dceb36e744
-all non-existent capabilities (above
+all nonexistent capabilities (above
.BR CAP_LAST_CAP )
are shown as disabled (0).
set, and that bounding set is inherited by all other processes
created on the system.
.SH SEE ALSO
+.BR capsh (1),
.BR capget (2),
.BR prctl (2),
.BR setfsuid (2),
.PP
.I include/linux/capability.h
in the Linux kernel source tree
+.SH COLOPHON
+This page is part of release 3.65 of the Linux
+.I man-pages
+project.
+A description of the project,
+and information about reporting bugs,
+can be found at
+\%http://www.kernel.org/doc/man\-pages/.