#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: man-pages-l10n VERSION\n"
"POT-Creation-Date: 2014-07-17 17:57+0900\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. type: TH
#: man-pages/man7/capabilities.7:48
#, no-wrap
msgid "CAPABILITIES"
msgstr ""

#. type: TH
#: man-pages/man7/capabilities.7:48
#, no-wrap
msgid "2014-05-21"
msgstr ""

#. type: TH
#: man-pages/man7/capabilities.7:48
#, no-wrap
msgid "Linux"
msgstr ""

#. type: TH
#: man-pages/man7/capabilities.7:48
#, no-wrap
msgid "Linux Programmer's Manual"
msgstr ""

#. type: SH
#: man-pages/man7/capabilities.7:49
#, no-wrap
msgid "NAME"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:51
msgid "capabilities - overview of Linux capabilities"
msgstr ""

#. type: SH
#: man-pages/man7/capabilities.7:51
#, no-wrap
msgid "DESCRIPTION"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:63
msgid ""
"For the purpose of performing permission checks, traditional UNIX "
"implementations distinguish two categories of processes: I<privileged> "
"processes (whose effective user ID is 0, referred to as superuser or root), "
"and I<unprivileged> processes (whose effective UID is nonzero).  Privileged "
"processes bypass all kernel permission checks, while unprivileged processes "
"are subject to full permission checking based on the process's credentials "
"(usually: effective UID, effective GID, and supplementary group list)."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:70
msgid ""
"Starting with kernel 2.2, Linux divides the privileges traditionally "
"associated with superuser into distinct units, known as I<capabilities>, "
"which can be independently enabled and disabled.  Capabilities are a per-"
"thread attribute."
msgstr ""

#. type: SS
#: man-pages/man7/capabilities.7:70
#, no-wrap
msgid "Capabilities list"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:73
msgid ""
"The following list shows the capabilities implemented on Linux, and the "
"operations or behaviors that each capability permits:"
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:73
#, no-wrap
msgid "B<CAP_AUDIT_CONTROL> (since Linux 2.6.11)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:77
msgid ""
"Enable and disable kernel auditing; change auditing filter rules; retrieve "
"auditing status and filtering rules."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:77
#, no-wrap
msgid "B<CAP_AUDIT_WRITE> (since Linux 2.6.11)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:80
msgid "Write records to kernel auditing log."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:80
#, no-wrap
msgid "B<CAP_BLOCK_SUSPEND> (since Linux 3.5)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:86
msgid ""
"Employ features that can block system suspend (B<epoll>(7)  B<EPOLLWAKEUP>, "
"I</proc/sys/wake_lock>)."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:86
#, no-wrap
msgid "B<CAP_CHOWN>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:90
msgid "Make arbitrary changes to file UIDs and GIDs (see B<chown>(2))."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:90
#, no-wrap
msgid "B<CAP_DAC_OVERRIDE>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:94
msgid ""
"Bypass file read, write, and execute permission checks.  (DAC is an "
"abbreviation of \"discretionary access control\".)"
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:94
#, no-wrap
msgid "B<CAP_DAC_READ_SEARCH>"
msgstr ""

#. type: IP
#: man-pages/man7/capabilities.7:98 man-pages/man7/capabilities.7:101 man-pages/man7/capabilities.7:111 man-pages/man7/capabilities.7:121 man-pages/man7/capabilities.7:125 man-pages/man7/capabilities.7:127 man-pages/man7/capabilities.7:129 man-pages/man7/capabilities.7:199 man-pages/man7/capabilities.7:201 man-pages/man7/capabilities.7:203 man-pages/man7/capabilities.7:205 man-pages/man7/capabilities.7:207 man-pages/man7/capabilities.7:209 man-pages/man7/capabilities.7:211 man-pages/man7/capabilities.7:213 man-pages/man7/capabilities.7:215 man-pages/man7/capabilities.7:239 man-pages/man7/capabilities.7:241 man-pages/man7/capabilities.7:287 man-pages/man7/capabilities.7:297 man-pages/man7/capabilities.7:303 man-pages/man7/capabilities.7:308 man-pages/man7/capabilities.7:314 man-pages/man7/capabilities.7:318 man-pages/man7/capabilities.7:325 man-pages/man7/capabilities.7:328 man-pages/man7/capabilities.7:336 man-pages/man7/capabilities.7:338 man-pages/man7/capabilities.7:347 man-pages/man7/capabilities.7:354 man-pages/man7/capabilities.7:357 man-pages/man7/capabilities.7:361 man-pages/man7/capabilities.7:364 man-pages/man7/capabilities.7:367 man-pages/man7/capabilities.7:374 man-pages/man7/capabilities.7:379 man-pages/man7/capabilities.7:385 man-pages/man7/capabilities.7:389 man-pages/man7/capabilities.7:393 man-pages/man7/capabilities.7:397 man-pages/man7/capabilities.7:401 man-pages/man7/capabilities.7:428 man-pages/man7/capabilities.7:433 man-pages/man7/capabilities.7:439 man-pages/man7/capabilities.7:442 man-pages/man7/capabilities.7:445 man-pages/man7/capabilities.7:454 man-pages/man7/capabilities.7:458 man-pages/man7/capabilities.7:475 man-pages/man7/capabilities.7:478 man-pages/man7/capabilities.7:482 man-pages/man7/capabilities.7:487 man-pages/man7/capabilities.7:496 man-pages/man7/capabilities.7:501 man-pages/man7/capabilities.7:504 man-pages/man7/capabilities.7:509 man-pages/man7/capabilities.7:512 man-pages/man7/capabilities.7:515 man-pages/man7/capabilities.7:518 man-pages/man7/capabilities.7:521 man-pages/man7/capabilities.7:526 man-pages/man7/capabilities.7:528 man-pages/man7/capabilities.7:534 man-pages/man7/capabilities.7:542 man-pages/man7/capabilities.7:544 man-pages/man7/capabilities.7:548 man-pages/man7/capabilities.7:550 man-pages/man7/capabilities.7:553 man-pages/man7/capabilities.7:557 man-pages/man7/capabilities.7:559 man-pages/man7/capabilities.7:561 man-pages/man7/capabilities.7:563 man-pages/man7/capabilities.7:572 man-pages/man7/capabilities.7:579 man-pages/man7/capabilities.7:584 man-pages/man7/capabilities.7:589 man-pages/man7/capabilities.7:594 man-pages/man7/capabilities.7:619 man-pages/man7/capabilities.7:626 man-pages/man7/capabilities.7:827 man-pages/man7/capabilities.7:835 man-pages/man7/capabilities.7:1151 man-pages/man7/capabilities.7:1156
#, no-wrap
msgid "*"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:101
msgid ""
"Bypass file read permission checks and directory read and execute permission "
"checks;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:104
msgid "Invoke B<open_by_handle_at>(2)."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:107
#, no-wrap
msgid "B<CAP_FOWNER>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:121
msgid ""
"Bypass permission checks on operations that normally require the filesystem "
"UID of the process to match the UID of the file (e.g., B<chmod>(2), "
"B<utime>(2)), excluding those operations covered by B<CAP_DAC_OVERRIDE> and "
"B<CAP_DAC_READ_SEARCH>;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:125
msgid "set extended file attributes (see B<chattr>(1))  on arbitrary files;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:127
msgid "set Access Control Lists (ACLs) on arbitrary files;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:129
msgid "ignore directory sticky bit on file deletion;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:136
msgid ""
"specify B<O_NOATIME> for arbitrary files in B<open>(2)  and B<fcntl>(2)."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:138
#, no-wrap
msgid "B<CAP_FSETID>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:144
msgid ""
"Don't clear set-user-ID and set-group-ID permission bits when a file is "
"modified; set the set-group-ID bit for a file whose GID does not match the "
"filesystem or any of the supplementary GIDs of the calling process."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:144
#, no-wrap
msgid "B<CAP_IPC_LOCK>"
msgstr ""

#.  FIXME As at Linux 3.2, there are some strange uses of this capability
#.  in other places; they probably should be replaced with something else.
#. type: Plain text
#: man-pages/man7/capabilities.7:153
msgid "Lock memory (B<mlock>(2), B<mlockall>(2), B<mmap>(2), B<shmctl>(2))."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:153
#, no-wrap
msgid "B<CAP_IPC_OWNER>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:156
msgid "Bypass permission checks for operations on System V IPC objects."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:156
#, no-wrap
msgid "B<CAP_KILL>"
msgstr ""

#.  FIXME CAP_KILL also has an effect for threads + setting child
#.        termination signal to other than SIGCHLD: without this
#.        capability, the termination signal reverts to SIGCHLD
#.        if the child does an exec().  What is the rationale
#.        for this?
#. type: Plain text
#: man-pages/man7/capabilities.7:169
msgid ""
"Bypass permission checks for sending signals (see B<kill>(2)).  This "
"includes use of the B<ioctl>(2)  B<KDSIGACCEPT> operation."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:169
#, no-wrap
msgid "B<CAP_LEASE> (since Linux 2.4)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:173
msgid "Establish leases on arbitrary files (see B<fcntl>(2))."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:173
#, no-wrap
msgid "B<CAP_LINUX_IMMUTABLE>"
msgstr ""

#.  These attributes are now available on ext2, ext3, Reiserfs, XFS, JFS
#. type: Plain text
#: man-pages/man7/capabilities.7:182
msgid ""
"Set the B<FS_APPEND_FL> and B<FS_IMMUTABLE_FL> i-node flags (see "
"B<chattr>(1))."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:182
#, no-wrap
msgid "B<CAP_MAC_ADMIN> (since Linux 2.6.25)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:186
msgid ""
"Override Mandatory Access Control (MAC).  Implemented for the Smack Linux "
"Security Module (LSM)."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:186
#, no-wrap
msgid "B<CAP_MAC_OVERRIDE> (since Linux 2.6.25)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:190
msgid ""
"Allow MAC configuration or state changes.  Implemented for the Smack LSM."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:190
#, no-wrap
msgid "B<CAP_MKNOD> (since Linux 2.4)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:194
msgid "Create special files using B<mknod>(2)."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:194
#, no-wrap
msgid "B<CAP_NET_ADMIN>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:197
msgid "Perform various network-related operations:"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:201
msgid "interface configuration;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:203
msgid "administration of IP firewall, masquerading, and accounting;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:205
msgid "modify routing tables;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:207
msgid "bind to any address for transparent proxying;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:209
msgid "set type-of-service (TOS)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:211
msgid "clear driver statistics;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:213
msgid "set promiscuous mode;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:215
msgid "enabling multicasting;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:226
msgid ""
"use B<setsockopt>(2)  to set the following socket options: B<SO_DEBUG>, "
"B<SO_MARK>, B<SO_PRIORITY> (for a priority outside the range 0 to 6), "
"B<SO_RCVBUFFORCE>, and B<SO_SNDBUFFORCE>."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:228
#, no-wrap
msgid "B<CAP_NET_BIND_SERVICE>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:232
msgid ""
"Bind a socket to Internet domain privileged ports (port numbers less than "
"1024)."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:232
#, no-wrap
msgid "B<CAP_NET_BROADCAST>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:235
msgid "(Unused)  Make socket broadcasts, and listen to multicasts."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:235
#, no-wrap
msgid "B<CAP_NET_RAW>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:241
msgid "use RAW and PACKET sockets;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:243
msgid "bind to any address for transparent proxying."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:246
#, no-wrap
msgid "B<CAP_SETGID>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:250
msgid ""
"Make arbitrary manipulations of process GIDs and supplementary GID list; "
"forge GID when passing socket credentials via UNIX domain sockets."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:250
#, no-wrap
msgid "B<CAP_SETFCAP> (since Linux 2.6.24)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:253
msgid "Set file capabilities."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:253
#, no-wrap
msgid "B<CAP_SETPCAP>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:264
msgid ""
"If file capabilities are not supported: grant or remove any capability in "
"the caller's permitted capability set to or from any other process.  (This "
"property of B<CAP_SETPCAP> is not available when the kernel is configured to "
"support file capabilities, since B<CAP_SETPCAP> has entirely different "
"semantics for such kernels.)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:274
msgid ""
"If file capabilities are supported: add any capability from the calling "
"thread's bounding set to its inheritable set; drop capabilities from the "
"bounding set (via B<prctl>(2)  B<PR_CAPBSET_DROP>); make changes to the "
"I<securebits> flags."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:274
#, no-wrap
msgid "B<CAP_SETUID>"
msgstr ""

#.  FIXME CAP_SETUID also an effect in exec(); document this.
#. type: Plain text
#: man-pages/man7/capabilities.7:283
msgid ""
"Make arbitrary manipulations of process UIDs (B<setuid>(2), B<setreuid>(2), "
"B<setresuid>(2), B<setfsuid>(2)); make forged UID when passing socket "
"credentials via UNIX domain sockets."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:283
#, no-wrap
msgid "B<CAP_SYS_ADMIN>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:297
msgid ""
"Perform a range of system administration operations including: "
"B<quotactl>(2), B<mount>(2), B<umount>(2), B<swapon>(2), B<swapoff>(2), "
"B<sethostname>(2), and B<setdomainname>(2);"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:303
msgid ""
"perform privileged B<syslog>(2)  operations (since Linux 2.6.37, "
"B<CAP_SYSLOG> should be used to permit such operations);"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:308
msgid "perform B<VM86_REQUEST_IRQ> B<vm86>(2)  command;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:314
msgid ""
"perform B<IPC_SET> and B<IPC_RMID> operations on arbitrary System V IPC "
"objects;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:318 man-pages/man7/capabilities.7:557
msgid "override B<RLIMIT_NPROC> resource limit;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:325
msgid ""
"perform operations on I<trusted> and I<security> Extended Attributes (see "
"B<attr>(5));"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:328
msgid "use B<lookup_dcookie>(2);"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:336
msgid ""
"use B<ioprio_set>(2)  to assign B<IOPRIO_CLASS_RT> and (before Linux 2.6.25) "
" B<IOPRIO_CLASS_IDLE> I/O scheduling classes;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:338
msgid "forge UID when passing socket credentials;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:347
msgid ""
"exceed I</proc/sys/fs/file-max>, the system-wide limit on the number of open "
"files, in system calls that open files (e.g., B<accept>(2), B<execve>(2), "
"B<open>(2), B<pipe>(2));"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:354
msgid ""
"employ B<CLONE_*> flags that create new namespaces with B<clone>(2)  and "
"B<unshare>(2);"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:357
msgid "call B<perf_event_open>(2);"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:361
msgid "access privileged I<perf> event information;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:364
msgid "call B<setns>(2);"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:367
msgid "call B<fanotify_init>(2);"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:374
msgid ""
"perform B<KEYCTL_CHOWN> and B<KEYCTL_SETPERM> B<keyctl>(2)  operations;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:379
msgid "perform B<madvise>(2)  B<MADV_HWPOISON> operation;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:385
msgid ""
"employ the B<TIOCSTI> B<ioctl>(2)  to insert characters into the input queue "
"of a terminal other than the caller's controlling terminal;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:389
msgid "employ the obsolete B<nfsservctl>(2)  system call;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:393
msgid "employ the obsolete B<bdflush>(2)  system call;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:397
msgid "perform various privileged block-device B<ioctl>(2)  operations;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:401
msgid "perform various privileged filesystem B<ioctl>(2)  operations;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:403
msgid "perform administrative operations on many device drivers."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:405
#, no-wrap
msgid "B<CAP_SYS_BOOT>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:411
msgid "Use B<reboot>(2)  and B<kexec_load>(2)."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:411
#, no-wrap
msgid "B<CAP_SYS_CHROOT>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:415
msgid "Use B<chroot>(2)."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:415
#, no-wrap
msgid "B<CAP_SYS_MODULE>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:424
msgid ""
"Load and unload kernel modules (see B<init_module>(2)  and "
"B<delete_module>(2)); in kernels before 2.6.25: drop capabilities from the "
"system-wide capability bounding set."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:424
#, no-wrap
msgid "B<CAP_SYS_NICE>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:433
msgid ""
"Raise process nice value (B<nice>(2), B<setpriority>(2))  and change the "
"nice value for arbitrary processes;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:439
msgid ""
"set real-time scheduling policies for calling process, and set scheduling "
"policies and priorities for arbitrary processes (B<sched_setscheduler>(2), "
"B<sched_setparam>(2), B<shed_setattr>(2));"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:442
msgid "set CPU affinity for arbitrary processes (B<sched_setaffinity>(2));"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:445
msgid ""
"set I/O scheduling class and priority for arbitrary processes "
"(B<ioprio_set>(2));"
msgstr ""

#.  FIXME CAP_SYS_NICE also has the following effect for
#.  migrate_pages(2):
#.      do_migrate_pages(mm, &old, &new,
#.          capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
#. type: Plain text
#: man-pages/man7/capabilities.7:454
msgid ""
"apply B<migrate_pages>(2)  to arbitrary processes and allow processes to be "
"migrated to arbitrary nodes;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:458
msgid "apply B<move_pages>(2)  to arbitrary processes;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:465
msgid ""
"use the B<MPOL_MF_MOVE_ALL> flag with B<mbind>(2)  and B<move_pages>(2)."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:467
#, no-wrap
msgid "B<CAP_SYS_PACCT>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:471
msgid "Use B<acct>(2)."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:471
#, no-wrap
msgid "B<CAP_SYS_PTRACE>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:478
msgid "Trace arbitrary processes using B<ptrace>(2);"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:482
msgid "apply B<get_robust_list>(2)  to arbitrary processes;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:487
msgid ""
"transfer data to or from the memory of arbitrary processes using "
"B<process_vm_readv>(2)  and B<process_vm_writev>(2)."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:490
msgid "inspect processes using B<kcmp>(2)."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:492
#, no-wrap
msgid "B<CAP_SYS_RAWIO>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:501
msgid "Perform I/O port operations (B<iopl>(2)  and B<ioperm>(2));"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:504
msgid "access I</proc/kcore>;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:509
msgid "employ the B<FIBMAP> B<ioctl>(2)  operation;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:512
msgid ""
"open devices for accessing x86 model-specific registers (MSRs, see "
"B<msr>(4))"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:515
msgid "update I</proc/sys/vm/mmap_min_addr>;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:518
msgid ""
"create memory mappings at addresses below the value specified by I</proc/sys/"
"vm/mmap_min_addr>;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:521
msgid "map files in I</proc/bus/pci>;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:526
msgid "open I</dev/mem> and I</dev/kmem>;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:528
msgid "perform various SCSI device commands;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:534
msgid "perform certain operations on B<hpsa>(4)  and B<cciss>(4)  devices;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:536
msgid "perform a range of device-specific operations on other devices."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:538
#, no-wrap
msgid "B<CAP_SYS_RESOURCE>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:544
msgid "Use reserved space on ext2 filesystems;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:548
msgid "make B<ioctl>(2)  calls controlling ext3 journaling;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:550
msgid "override disk quota limits;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:553
msgid "increase resource limits (see B<setrlimit>(2));"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:559
msgid "override maximum number of consoles on console allocation;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:561
msgid "override maximum number of keymaps;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:563
msgid "allow more than 64hz interrupts from the real-time clock;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:572
msgid ""
"raise I<msg_qbytes> limit for a System V message queue above the limit in I</"
"proc/sys/kernel/msgmnb> (see B<msgop>(2)  and B<msgctl>(2));"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:579
msgid ""
"override the I</proc/sys/fs/pipe-size-max> limit when setting the capacity "
"of a pipe using the B<F_SETPIPE_SZ> B<fcntl>(2)  command."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:584
msgid ""
"use B<F_SETPIPE_SZ> to increase the capacity of a pipe above the limit "
"specified by I</proc/sys/fs/pipe-max-size>;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:589
msgid ""
"override I</proc/sys/fs/mqueue/queues_max> limit when creating POSIX message "
"queues (see B<mq_overview>(7));"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:594
msgid "employ B<prctl>(2)  B<PR_SET_MM> operation;"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:599
msgid ""
"set I</proc/PID/oom_score_adj> to a value lower than the value last set by a "
"process with B<CAP_SYS_RESOURCE>."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:601
#, no-wrap
msgid "B<CAP_SYS_TIME>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:608
msgid ""
"Set system clock (B<settimeofday>(2), B<stime>(2), B<adjtimex>(2)); set real-"
"time (hardware) clock."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:608
#, no-wrap
msgid "B<CAP_SYS_TTY_CONFIG>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:615
msgid ""
"Use B<vhangup>(2); employ various privileged B<ioctl>(2)  operations on "
"virtual terminals."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:615
#, no-wrap
msgid "B<CAP_SYSLOG> (since Linux 2.6.37)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:626
msgid ""
"Perform privileged B<syslog>(2)  operations.  See B<syslog>(2)  for "
"information on which operations require privilege."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:636
msgid ""
"View kernel addresses exposed via I</proc> and other interfaces when I</proc/"
"sys/kernel/kptr_restrict> has the value 1.  (See the discussion of the "
"I<kptr_restrict> in B<proc>(5).)"
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:638
#, no-wrap
msgid "B<CAP_WAKE_ALARM> (since Linux 3.0)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:646
msgid ""
"Trigger something that will wake up the system (set B<CLOCK_REALTIME_ALARM> "
"and B<CLOCK_BOOTTIME_ALARM> timers)."
msgstr ""

#. type: SS
#: man-pages/man7/capabilities.7:646
#, no-wrap
msgid "Past and current implementation"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:648
msgid "A full implementation of capabilities requires that:"
msgstr ""

#. type: IP
#: man-pages/man7/capabilities.7:648 man-pages/man7/capabilities.7:799 man-pages/man7/capabilities.7:946 man-pages/man7/capabilities.7:999
#, no-wrap
msgid "1."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:652
msgid ""
"For all privileged operations, the kernel must check whether the thread has "
"the required capability in its effective set."
msgstr ""

#. type: IP
#: man-pages/man7/capabilities.7:652 man-pages/man7/capabilities.7:804 man-pages/man7/capabilities.7:952 man-pages/man7/capabilities.7:1005
#, no-wrap
msgid "2."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:655
msgid ""
"The kernel must provide system calls allowing a thread's capability sets to "
"be changed and retrieved."
msgstr ""

#. type: IP
#: man-pages/man7/capabilities.7:655 man-pages/man7/capabilities.7:955 man-pages/man7/capabilities.7:1009
#, no-wrap
msgid "3."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:658
msgid ""
"The filesystem must support attaching capabilities to an executable file, so "
"that a process gains those capabilities when the file is executed."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:662
msgid ""
"Before kernel 2.6.24, only the first two of these requirements are met; "
"since kernel 2.6.24, all three requirements are met."
msgstr ""

#. type: SS
#: man-pages/man7/capabilities.7:662
#, no-wrap
msgid "Thread capability sets"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:665
msgid ""
"Each thread has three capability sets containing zero or more of the above "
"capabilities:"
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:665
#, no-wrap
msgid "I<Permitted>:"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:673
msgid ""
"This is a limiting superset for the effective capabilities that the thread "
"may assume.  It is also a limiting superset for the capabilities that may be "
"added to the inheritable set by a thread that does not have the "
"B<CAP_SETPCAP> capability in its effective set."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:679
msgid ""
"If a thread drops a capability from its permitted set, it can never "
"reacquire that capability (unless it B<execve>(2)s either a set-user-ID-root "
"program, or a program whose associated file capabilities grant that "
"capability)."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:679
#, no-wrap
msgid "I<Inheritable>:"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:686
msgid ""
"This is a set of capabilities preserved across an B<execve>(2).  It provides "
"a mechanism for a process to assign capabilities to the permitted set of the "
"new program during an B<execve>(2)."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:686 man-pages/man7/capabilities.7:736
#, no-wrap
msgid "I<Effective>:"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:690
msgid ""
"This is the set of capabilities used by the kernel to perform permission "
"checks for the thread."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:696
msgid ""
"A child created via B<fork>(2)  inherits copies of its parent's capability "
"sets.  See below for a discussion of the treatment of capabilities during "
"B<execve>(2)."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:700
msgid ""
"Using B<capset>(2), a thread may manipulate its own capability sets (see "
"below)."
msgstr ""

#.  commit 73efc0394e148d0e15583e13712637831f926720
#. type: Plain text
#: man-pages/man7/capabilities.7:709
msgid ""
"Since Linux 3.2, the file I</proc/sys/kernel/cap_last_cap> exposes the "
"numerical value of the highest capability supported by the running kernel; "
"this can be used to determine the highest bit that may be set in a "
"capability set."
msgstr ""

#. type: SS
#: man-pages/man7/capabilities.7:709
#, no-wrap
msgid "File capabilities"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:724
msgid ""
"Since kernel 2.6.24, the kernel supports associating capability sets with an "
"executable file using B<setcap>(8).  The file capability sets are stored in "
"an extended attribute (see B<setxattr>(2))  named I<security.capability>.  "
"Writing to this extended attribute requires the B<CAP_SETFCAP> capability.  "
"The file capability sets, in conjunction with the capability sets of the "
"thread, determine the capabilities of a thread after an B<execve>(2)."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:726
msgid "The three file capability sets are:"
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:726
#, no-wrap
msgid "I<Permitted> (formerly known as I<forced>):"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:730
msgid ""
"These capabilities are automatically permitted to the thread, regardless of "
"the thread's inheritable capabilities."
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:730
#, no-wrap
msgid "I<Inheritable> (formerly known as I<allowed>):"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:736
msgid ""
"This set is ANDed with the thread's inheritable set to determine which "
"inheritable capabilities are enabled in the permitted set of the thread "
"after the B<execve>(2)."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:746
msgid ""
"This is not a set, but rather just a single bit.  If this bit is set, then "
"during an B<execve>(2)  all of the new permitted capabilities for the thread "
"are also raised in the effective set.  If this bit is not set, then after an "
"B<execve>(2), none of the new permitted capabilities is in the new effective "
"set."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:762
msgid ""
"Enabling the file effective capability bit implies that any file permitted "
"or inheritable capability that causes a thread to acquire the corresponding "
"permitted capability during an B<execve>(2)  (see the transformation rules "
"described below) will also acquire that capability in its effective set.  "
"Therefore, when assigning capabilities to a file (B<setcap>(8), "
"B<cap_set_file>(3), B<cap_set_fd>(3)), if we specify the effective flag as "
"being enabled for any capability, then the effective flag must also be "
"specified as enabled for all other capabilities for which the corresponding "
"permitted or inheritable flags is enabled."
msgstr ""

#. type: SS
#: man-pages/man7/capabilities.7:762
#, no-wrap
msgid "Transformation of capabilities during execve()"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:768
msgid ""
"During an B<execve>(2), the kernel calculates the new capabilities of the "
"process using the following algorithm:"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:773
#, no-wrap
msgid ""
"P'(permitted) = (P(inheritable) & F(inheritable)) |\n"
"                (F(permitted) & cap_bset)\n"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:775
#, no-wrap
msgid "P'(effective) = F(effective) ? P'(permitted) : 0\n"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:777
#, no-wrap
msgid "P'(inheritable) = P(inheritable)    [i.e., unchanged]\n"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:781
msgid "where:"
msgstr ""

#. type: IP
#: man-pages/man7/capabilities.7:782
#, no-wrap
msgid "P"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:785
msgid "denotes the value of a thread capability set before the B<execve>(2)"
msgstr ""

#. type: IP
#: man-pages/man7/capabilities.7:785
#, no-wrap
msgid "P'"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:788
msgid "denotes the value of a capability set after the B<execve>(2)"
msgstr ""

#. type: IP
#: man-pages/man7/capabilities.7:788
#, no-wrap
msgid "F"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:790
msgid "denotes a file capability set"
msgstr ""

#. type: IP
#: man-pages/man7/capabilities.7:790
#, no-wrap
msgid "cap_bset"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:792
msgid "is the value of the capability bounding set (described below)."
msgstr ""

#. type: SS
#: man-pages/man7/capabilities.7:794
#, no-wrap
msgid "Capabilities and execution of programs by root"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:799
msgid ""
"In order to provide an all-powerful I<root> using capability sets, during an "
"B<execve>(2):"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:804
msgid ""
"If a set-user-ID-root program is being executed, or the real user ID of the "
"process is 0 (root)  then the file inheritable and permitted sets are "
"defined to be all ones (i.e., all capabilities enabled)."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:807
msgid ""
"If a set-user-ID-root program is being executed, then the file effective bit "
"is defined to be one (enabled)."
msgstr ""

#.  If a process with real UID 0, and nonzero effective UID does an
#.  exec(), then it gets all capabilities in its
#.  permitted set, and no effective capabilities
#. type: Plain text
#: man-pages/man7/capabilities.7:822
msgid ""
"The upshot of the above rules, combined with the capabilities "
"transformations described above, is that when a process B<execve>(2)s a set-"
"user-ID-root program, or when a process with an effective UID of 0 "
"B<execve>(2)s a program, it gains all capabilities in its permitted and "
"effective capability sets, except those masked out by the capability "
"bounding set.  This provides semantics that are the same as those provided "
"by traditional UNIX systems."
msgstr ""

#. type: SS
#: man-pages/man7/capabilities.7:822
#, no-wrap
msgid "Capability bounding set"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:827
msgid ""
"The capability bounding set is a security mechanism that can be used to "
"limit the capabilities that can be gained during an B<execve>(2).  The "
"bounding set is used in the following ways:"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:835
msgid ""
"During an B<execve>(2), the capability bounding set is ANDed with the file "
"permitted capability set, and the result of this operation is assigned to "
"the thread's permitted capability set.  The capability bounding set thus "
"places a limit on the permitted capabilities that may be granted by an "
"executable file."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:847
msgid ""
"(Since Linux 2.6.25)  The capability bounding set acts as a limiting "
"superset for the capabilities that a thread can add to its inheritable set "
"using B<capset>(2).  This means that if a capability is not in the bounding "
"set, then a thread can't add this capability to its inheritable set, even if "
"it was in its permitted capabilities, and thereby cannot have this "
"capability preserved in its permitted set when it B<execve>(2)s a file that "
"has the capability in its inheritable set."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:854
msgid ""
"Note that the bounding set masks the file permitted capabilities, but not "
"the inherited capabilities.  If a thread maintains a capability in its "
"inherited set that is not in its bounding set, then it can still gain that "
"capability in its permitted set by executing a file that has the capability "
"in its inherited set."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:857
msgid ""
"Depending on the kernel version, the capability bounding set is either a "
"system-wide attribute, or a per-process attribute."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:859
msgid "B<Capability bounding set prior to Linux 2.6.25>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:867
msgid ""
"In kernels before 2.6.25, the capability bounding set is a system-wide "
"attribute that affects all threads on the system.  The bounding set is "
"accessible via the file I</proc/sys/kernel/cap-bound>.  (Confusingly, this "
"bit mask parameter is expressed as a signed decimal number in I</proc/sys/"
"kernel/cap-bound>.)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:874
msgid ""
"Only the B<init> process may set capabilities in the capability bounding "
"set; other than that, the superuser (more precisely: programs with the "
"B<CAP_SYS_MODULE> capability) may only clear capabilities from this set."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:883
msgid ""
"On a standard system the capability bounding set always masks out the "
"B<CAP_SETPCAP> capability.  To remove this restriction (dangerous!), modify "
"the definition of B<CAP_INIT_EFF_SET> in I<include/linux/capability.h> and "
"rebuild the kernel."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:887
msgid ""
"The system-wide capability bounding set feature was added to Linux starting "
"with kernel version 2.2.11."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:889
msgid "B<Capability bounding set from Linux 2.6.25 onward>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:894
msgid ""
"From Linux 2.6.25, the I<capability bounding set> is a per-thread attribute. "
" (There is no longer a system-wide capability bounding set.)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:899
msgid ""
"The bounding set is inherited at B<fork>(2)  from the thread's parent, and "
"is preserved across an B<execve>(2)."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:912
msgid ""
"A thread may remove capabilities from its capability bounding set using the "
"B<prctl>(2)  B<PR_CAPBSET_DROP> operation, provided it has the "
"B<CAP_SETPCAP> capability.  Once a capability has been dropped from the "
"bounding set, it cannot be restored to that set.  A thread can determine if "
"a capability is in its bounding set using the B<prctl>(2)  "
"B<PR_CAPBSET_READ> operation."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:930
msgid ""
"Removing capabilities from the bounding set is supported only if file "
"capabilities are compiled into the kernel.  In kernels before Linux 2.6.33, "
"file capabilities were an optional feature configurable via the "
"CONFIG_SECURITY_FILE_CAPABILITIES option.  Since Linux 2.6.33, the "
"configuration option has been removed and file capabilities are always part "
"of the kernel.  When file capabilities are compiled into the kernel, the "
"B<init> process (the ancestor of all processes) begins with a full bounding "
"set.  If file capabilities are not compiled into the kernel, then B<init> "
"begins with a full bounding set minus B<CAP_SETPCAP>, because this "
"capability has a different meaning when there are no file capabilities."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:937
msgid ""
"Removing a capability from the bounding set does not remove it from the "
"thread's inherited set.  However it does prevent the capability from being "
"added back into the thread's inherited set in the future."
msgstr ""

#. type: SS
#: man-pages/man7/capabilities.7:937
#, no-wrap
msgid "Effect of user ID changes on capabilities"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:946
msgid ""
"To preserve the traditional semantics for transitions between 0 and nonzero "
"user IDs, the kernel makes the following changes to a thread's capability "
"sets on changes to the thread's real, effective, saved set, and filesystem "
"user IDs (using B<setuid>(2), B<setresuid>(2), or similar):"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:952
msgid ""
"If one or more of the real, effective or saved set user IDs was previously "
"0, and as a result of the UID changes all of these IDs have a nonzero value, "
"then all capabilities are cleared from the permitted and effective "
"capability sets."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:955
msgid ""
"If the effective user ID is changed from 0 to nonzero, then all capabilities "
"are cleared from the effective set."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:958
msgid ""
"If the effective user ID is changed from nonzero to 0, then the permitted "
"set is copied to the effective set."
msgstr ""

#. type: IP
#: man-pages/man7/capabilities.7:958 man-pages/man7/capabilities.7:1013
#, no-wrap
msgid "4."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:976
msgid ""
"If the filesystem user ID is changed from 0 to nonzero (see B<setfsuid>(2)), "
"then the following capabilities are cleared from the effective set: "
"B<CAP_CHOWN>, B<CAP_DAC_OVERRIDE>, B<CAP_DAC_READ_SEARCH>, B<CAP_FOWNER>, "
"B<CAP_FSETID>, B<CAP_LINUX_IMMUTABLE> (since Linux 2.6.30), "
"B<CAP_MAC_OVERRIDE>, and B<CAP_MKNOD> (since Linux 2.6.30).  If the "
"filesystem UID is changed from nonzero to 0, then any of these capabilities "
"that are enabled in the permitted set are enabled in the effective set."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:984
msgid ""
"If a thread that has a 0 value for one or more of its user IDs wants to "
"prevent its permitted capability set being cleared when it resets all of its "
"user IDs to nonzero values, it can do so using the B<prctl>(2)  "
"B<PR_SET_KEEPCAPS> operation."
msgstr ""

#. type: SS
#: man-pages/man7/capabilities.7:984
#, no-wrap
msgid "Programmatically adjusting capability sets"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:999
msgid ""
"A thread can retrieve and change its capability sets using the B<capget>(2)  "
"and B<capset>(2)  system calls.  However, the use of B<cap_get_proc>(3)  and "
"B<cap_set_proc>(3), both provided in the I<libcap> package, is preferred for "
"this purpose.  The following rules govern changes to the thread capability "
"sets:"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1005
msgid ""
"If the caller does not have the B<CAP_SETPCAP> capability, the new "
"inheritable set must be a subset of the combination of the existing "
"inheritable and permitted sets."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1009
msgid ""
"(Since Linux 2.6.25)  The new inheritable set must be a subset of the "
"combination of the existing inheritable set and the capability bounding set."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1013
msgid ""
"The new permitted set must be a subset of the existing permitted set (i.e., "
"it is not possible to acquire permitted capabilities that the thread does "
"not currently have)."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1015
msgid "The new effective set must be a subset of the new permitted set."
msgstr ""

#. type: SS
#: man-pages/man7/capabilities.7:1015
#, no-wrap
msgid "The securebits flags: establishing a capabilities-only environment"
msgstr ""

#.  For some background:
#.        see http://lwn.net/Articles/280279/ and
#.        http://article.gmane.org/gmane.linux.kernel.lsm/5476/
#. type: Plain text
#: man-pages/man7/capabilities.7:1026
msgid ""
"Starting with kernel 2.6.26, and with a kernel in which file capabilities "
"are enabled, Linux implements a set of per-thread I<securebits> flags that "
"can be used to disable special handling of capabilities for UID 0 (I<root>). "
" These flags are as follows:"
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:1026
#, no-wrap
msgid "B<SECBIT_KEEP_CAPS>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1038
msgid ""
"Setting this flag allows a thread that has one or more 0 UIDs to retain its "
"capabilities when it switches all of its UIDs to a nonzero value.  If this "
"flag is not set, then such a UID switch causes the thread to lose all "
"capabilities.  This flag is always cleared on an B<execve>(2).  (This flag "
"provides the same functionality as the older B<prctl>(2)  B<PR_SET_KEEPCAPS> "
"operation.)"
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:1038
#, no-wrap
msgid "B<SECBIT_NO_SETUID_FIXUP>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1045
msgid ""
"Setting this flag stops the kernel from adjusting capability sets when the "
"threads's effective and filesystem UIDs are switched between zero and "
"nonzero values.  (See the subsection I<Effect of User ID Changes on "
"Capabilities>.)"
msgstr ""

#. type: TP
#: man-pages/man7/capabilities.7:1045
#, no-wrap
msgid "B<SECBIT_NOROOT>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1053
msgid ""
"If this bit is set, then the kernel does not grant capabilities when a set-"
"user-ID-root program is executed, or when a process with an effective or "
"real UID of 0 calls B<execve>(2).  (See the subsection I<Capabilities and "
"execution of programs by root>.)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1063
msgid ""
"Each of the above \"base\" flags has a companion \"locked\" flag.  Setting "
"any of the \"locked\" flags is irreversible, and has the effect of "
"preventing further changes to the corresponding \"base\" flag.  The locked "
"flags are: B<SECBIT_KEEP_CAPS_LOCKED>, B<SECBIT_NO_SETUID_FIXUP_LOCKED>, and "
"B<SECBIT_NOROOT_LOCKED>."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1075
msgid ""
"The I<securebits> flags can be modified and retrieved using the B<prctl>(2)  "
"B<PR_SET_SECUREBITS> and B<PR_GET_SECUREBITS> operations.  The "
"B<CAP_SETPCAP> capability is required to modify the flags."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1084
msgid ""
"The I<securebits> flags are inherited by child processes.  During an "
"B<execve>(2), all of the flags are preserved, except B<SECBIT_KEEP_CAPS> "
"which is always cleared."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1089
msgid ""
"An application can use the following call to lock itself, and all of its "
"descendants, into an environment where the only way of gaining capabilities "
"is by executing a program with associated file capabilities:"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1098
#, no-wrap
msgid ""
"prctl(PR_SET_SECUREBITS,\n"
"        SECBIT_KEEP_CAPS_LOCKED |\n"
"        SECBIT_NO_SETUID_FIXUP |\n"
"        SECBIT_NO_SETUID_FIXUP_LOCKED |\n"
"        SECBIT_NOROOT |\n"
"        SECBIT_NOROOT_LOCKED);\n"
msgstr ""

#. type: SH
#: man-pages/man7/capabilities.7:1100
#, no-wrap
msgid "CONFORMING TO"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1106
msgid ""
"No standards govern capabilities, but the Linux capability implementation is "
"based on the withdrawn POSIX.1e draft standard; see E<.UR http://wt."
"tuxomania.net\\:/publications\\:/posix.1e/> E<.UE .>"
msgstr ""

#. type: SH
#: man-pages/man7/capabilities.7:1106
#, no-wrap
msgid "NOTES"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1110
msgid ""
"Since kernel 2.5.27, capabilities are an optional kernel component, and can "
"be enabled/disabled via the CONFIG_SECURITY_CAPABILITIES kernel "
"configuration option."
msgstr ""

#.  7b9a7ec565505699f503b4fcf61500dceb36e744
#. type: Plain text
#: man-pages/man7/capabilities.7:1124
msgid ""
"The I</proc/PID/task/TID/status> file can be used to view the capability "
"sets of a thread.  The I</proc/PID/status> file shows the capability sets of "
"a process's main thread.  Before Linux 3.8, nonexistent capabilities were "
"shown as being enabled (1) in these sets.  Since Linux 3.8, all nonexistent "
"capabilities (above B<CAP_LAST_CAP>)  are shown as disabled (0)."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1139
msgid ""
"The I<libcap> package provides a suite of routines for setting and getting "
"capabilities that is more comfortable and less likely to change than the "
"interface provided by B<capset>(2)  and B<capget>(2).  This package also "
"provides the B<setcap>(8)  and B<getcap>(8)  programs.  It can be found at"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1142
msgid ""
"E<.UR http://www.kernel.org\\:/pub\\:/linux\\:/libs\\:/security\\:/linux-"
"privs> E<.UE .>"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1151
msgid ""
"Before kernel 2.6.24, and since kernel 2.6.24 if file capabilities are not "
"enabled, a thread with the B<CAP_SETPCAP> capability can manipulate the "
"capabilities of threads other than itself.  However, this is only "
"theoretically possible, since no thread ever has B<CAP_SETPCAP> in either of "
"these cases:"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1156
msgid ""
"In the pre-2.6.25 implementation the system-wide capability bounding set, I</"
"proc/sys/kernel/cap-bound>, always masks out this capability, and this can "
"not be changed without modifying the kernel source and rebuilding."
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1162
msgid ""
"If file capabilities are disabled in the current implementation, then "
"B<init> starts out with this capability removed from its per-process "
"bounding set, and that bounding set is inherited by all other processes "
"created on the system."
msgstr ""

#. type: SH
#: man-pages/man7/capabilities.7:1162
#, no-wrap
msgid "SEE ALSO"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1180
msgid ""
"B<capsh>(1), B<capget>(2), B<prctl>(2), B<setfsuid>(2), B<cap_clear>(3), "
"B<cap_copy_ext>(3), B<cap_from_text>(3), B<cap_get_file>(3), "
"B<cap_get_proc>(3), B<cap_init>(3), B<capgetp>(3), B<capsetp>(3), "
"B<libcap>(3), B<credentials>(7), B<pthreads>(7), B<getcap>(8), B<setcap>(8)"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1183
msgid "I<include/linux/capability.h> in the Linux kernel source tree"
msgstr ""

#. type: SH
#: man-pages/man7/capabilities.7:1183
#, no-wrap
msgid "COLOPHON"
msgstr ""

#. type: Plain text
#: man-pages/man7/capabilities.7:1191
msgid ""
"This page is part of release 3.70 of the Linux I<man-pages> project.  A "
"description of the project, information about reporting bugs, and the latest "
"version of this page, can be found at \\%http://www.kernel.org/doc/man-pages/"
"."
msgstr ""