问题
My program is being run with cap_sys_admin,cap_setgid+i.
Of course, I understand that they are inheritable across execve, but beside that : does they behave the same way as if I don’t have them at all since they are neither effective nor permitted?
回答1:
OK so your process is running with some Inheritable capabilities. What does that mean for your process? Pretty much nothing. You can't call setcap() to make any of those capabilities Effective, since they're not in your Permitted set, and with no way to get them in your Effective set your process cannot use the capabilities itself.
However their presence in your Inheritable set may have consequences for other processes you launch. eg. if you were to exec() a binary whose file had cap_setgid in both its Effective and Inheritable set, that child process would start with cap_setgid in its Effective set.
If cap_setgid was not in your process's Inheritable set in the above example, then the fact that the file has cap_setgid+ie becomes irrevelant, and the child process will not have the stated capability.
回答2:
Yes, inherited keeps sleeping until you set the effective capabilities. As described in the manual, inherited means: "when execve, copy inherited to child inherited and permitted":
This is a set of capabilities preserved across an execve(2). Inheritable capa‐
bilities remain inheritable when executing any program, and inheritable capa‐
bilities are added to the permitted set when executing a program that has the
corresponding bits set in the file inheritable set.
http://man7.org/linux/man-pages/man7/capabilities.7.html
来源:https://stackoverflow.com/questions/43927722/what-does-it-means-to-have-a-capability-only-in-the-inheritable-set