.\" other capabilities where the permitted or inheritable bit is set.
.\" 2011-09-07, mtk/Serge hallyn: Add CAP_SYSLOG
.\"
-.TH CAPABILITIES 7 2013-04-17 "Linux" "Linux Programmer's Manual"
+.TH CAPABILITIES 7 2014-04-09 "Linux" "Linux Programmer's Manual"
.SH NAME
capabilities \- overview of Linux capabilities
.SH DESCRIPTION
(DAC is an abbreviation of "discretionary access control".)
.TP
.B CAP_DAC_READ_SEARCH
+.PD 0
+.RS
+.IP * 2
Bypass file read permission checks and
-directory read and execute permission checks.
+directory read and execute permission checks;
+.IP *
+Invoke
+.BR open_by_handle_at (2).
+.RE
+.PD
+
.TP
.B CAP_FOWNER
.PD 0
.RS
.IP * 2
Bypass permission checks on operations that normally
-require the file system UID of the process to match the UID of
+require the filesystem UID of the process to match the UID of
the file (e.g.,
.BR chmod (2),
.BR utime (2)),
Don't clear set-user-ID and set-group-ID permission
bits when a file is modified;
set the set-group-ID bit for a file whose GID does not match
-the file system or any of the supplementary GIDs of the calling process.
+the filesystem or any of the supplementary GIDs of the calling process.
.TP
.B CAP_IPC_LOCK
.\" FIXME As at Linux 3.2, there are some strange uses of this capability
.BR ioctl (2)
operations;
.IP *
-perform various privileged file-system
+perform various privileged filesystem
.BR ioctl (2)
operations;
.IP *
.PD 0
.RS
.IP * 2
-Use reserved space on ext2 file systems;
+Use reserved space on ext2 filesystems;
.IP *
make
.BR ioctl (2)
The kernel must provide system calls allowing a thread's capability sets to
be changed and retrieved.
.IP 3.
-The file system must support attaching capabilities to an executable file,
+The filesystem must support attaching capabilities to an executable file,
so that a process gains those capabilities when the file is executed.
.PP
Before kernel 2.6.24, only the first two of these requirements are met;
0 and nonzero user IDs,
the kernel makes the following changes to a thread's capability
sets on changes to the thread's real, effective, saved set,
-and file system user IDs (using
+and filesystem user IDs (using
.BR setuid (2),
.BR setresuid (2),
or similar):
If the effective user ID is changed from nonzero to 0,
then the permitted set is copied to the effective set.
.IP 4.
-If the file system user ID is changed from 0 to nonzero (see
-.BR setfsuid (2))
+If the filesystem user ID is changed from 0 to nonzero (see
+.BR setfsuid (2)),
then the following capabilities are cleared from the effective set:
.BR CAP_CHOWN ,
.BR CAP_DAC_OVERRIDE ,
.BR CAP_FOWNER ,
.BR CAP_FSETID ,
.B CAP_LINUX_IMMUTABLE
-(since Linux 2.2.30),
+(since Linux 2.6.30),
.BR CAP_MAC_OVERRIDE ,
and
.B CAP_MKNOD
-(since Linux 2.2.30).
-If the file system UID is changed from nonzero to 0,
+(since Linux 2.6.30).
+If the filesystem UID is changed from nonzero to 0,
then any of these capabilities that are enabled in the permitted set
are enabled in the effective set.
.PP
.TP
.B SECBIT_NO_SETUID_FIXUP
Setting this flag stops the kernel from adjusting capability sets when
-the threads's effective and file system UIDs are switched between
+the threads's effective and filesystem UIDs are switched between
zero and nonzero values.
(See the subsection
.IR "Effect of User ID Changes on Capabilities" .)
enabled (1) in these sets.
Since Linux 3.8,
.\" 7b9a7ec565505699f503b4fcf61500dceb36e744
-all non-existent capabilities (above
+all nonexistent capabilities (above
.BR CAP_LAST_CAP )
are shown as disabled (0).
set, and that bounding set is inherited by all other processes
created on the system.
.SH SEE ALSO
+.BR capsh (1),
.BR capget (2),
.BR prctl (2),
.BR setfsuid (2),
.PP
.I include/linux/capability.h
in the Linux kernel source tree
+.SH COLOPHON
+This page is part of release 3.65 of the Linux
+.I man-pages
+project.
+A description of the project,
+and information about reporting bugs,
+can be found at
+\%http://www.kernel.org/doc/man\-pages/.