Package: libcap-dev
Version: 1:2.66-5+b1
Severity: minor
Tags: patch
* What led up to the situation?
Checking for defects with a new version
test-[g|n]roff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=10 -ww -z < "man
page"
[Use "groff -e ' $' -e '\\~$' <file>" to find obvious trailing spaces.]
["test-groff" is a script in the repository for "groff"; is not shipped]
(local copy and "troff" slightly changed by me).
[The fate of "test-nroff" was decided in groff bug #55941.]
* What was the outcome of this action?
an.tmac:<stdin>:1: style: .TH missing fourth argument; consider package/project
name and version (e.g., "groff 1.23.0")
troff:<stdin>:70: warning: trailing space in the line
troff:<stdin>:306: warning: trailing space in the line
* What outcome did you expect instead?
No output (no warnings).
-.-
General remarks and further material, if a diff-file exist, are in the
attachments.
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.10-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=is_IS.iso88591, LC_CTYPE=is_IS.iso88591 (charmap=ISO-8859-1),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libcap-dev depends on:
ii libc6 2.40-6
ii libcap2 1:2.66-5+b1
libcap-dev recommends no packages.
Versions of packages libcap-dev suggests:
ii manpages-dev 6.9.1-1
-- no debconf information
Input file is cap_get_proc.3
Output from "mandoc -T lint cap_get_proc.3": (shortened list)
2 whitespace at end of input line
-.-.
Output from "test-groff -mandoc -t -ww -z cap_get_proc.3": (shortened list)
2 trailing space in the line
-.-.
Remove space characters (whitespace) at the end of lines.
Use "git apply ... --whitespace=fix" to fix extra space issues, or use
global configuration "core.whitespace".
Number of lines affected is
2
-.-.
Change a HYPHEN-MINUS (code 0x2D) to a minus(-dash) (\-),
if it
is a minus,
is in front of a name for an option,
is a symbol for standard input,
is a single character used to indicate an option,
or is in the NAME section (man-pages(7)).
N.B. - (0x2D), processed as a UTF-8 file, is changed to a hyphen
(0x2010, groff \[u2010] or \[hy]) in the output.
127:-1 if the capability is not supported by the running kernel. A macro
-.-.
Wrong distance between sentences in the input file.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
The best procedure is to always start a new sentence on a new line,
at least, if you are typing on a computer.
Remember coding: Only one command ("sentence") on each (logical) line.
E-mail: Easier to quote exactly the relevant lines.
Generally: Easier to edit the sentence.
Patches: Less unaffected text.
Search for two adjacent words is easier, when they belong to the same line,
and the same phrase.
The amount of space between sentences in the output can then be
controlled with the ".ss" request.
Mark a final abbreviation point as such by suffixing it with "\&".
79:file. (The entries in that file can be translated with the
81:command line.) When the caller is operating within a
85:argument is interpreted in the range of that namespace. As such, the
89:different pid namespaces. See
96:thinks it has. If the target is operating in a
99:capabilities my be substantially reduced. See
107:capability flag in effect for the calling process. This operation is
108:unprivileged. Note, a macro function
114:0. This macro works by testing for an error condition with
133:sets the specified ambient capability to a specific value. To complete
145:their lowered value. Note, the ambient set is intended to operate in a
147:capabilities in general. Executing a file, with associated filesystem
149:process. Further, changes to the inheritable set by the program code
154:returns the securebits of the calling process. These bits affect the
159:attempts to modify the securebits of the calling process. Note
161:must be in the effective capability set for this to be effective. Some
173:value. A text representation of the mode can be obtained via the
175:function. The vast majority of combinations of these values are not well
194:can be used to set the desired mode. The permitted capability
201:system call. Where
206:changed. Following this call all effective capabilities are lowered.
213:calls in one call. The
228:prevailing bounding set. Note, a macro function,
252:capabilities and securebits in the presence of pthreads. That is,
254:thread. To be meaningfully secure, however, the capability sets should
256:not memory isolated. As a workaround for this,
271:to perform state setting system calls. Notably, this also ensures that
288:for information on allocating an empty capability set. This function
315:raised in its Effective capability set. The capabilities set in the
340:kflushd and kswapd.) A kernel recompilation was needed to modify
373:setuid-root but wanting to run as a specific user ID etc. in such a
-.-.
Output from "test-groff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=10 -ww -z
":
an.tmac:<stdin>:1: style: .TH missing fourth argument; consider package/project
name and version (e.g., "groff 1.23.0")
troff:<stdin>:70: warning: trailing space in the line
troff:<stdin>:306: warning: trailing space in the line
--- cap_get_proc.3 2025-01-30 18:35:50.130721251 +0000
+++ cap_get_proc.3.new 2025-01-30 19:01:03.396103876 +0000
@@ -41,11 +41,16 @@ int cap_setgroups(gid_t gid, size_t ngro
Link with \fI\-lcap\fP.
.SH DESCRIPTION
.BR cap_get_proc ()
-allocates a capability state in working storage, sets its state to
-that of the calling process, and returns a pointer to this newly
-created capability state. The caller should free any releasable
-memory, when the capability state in working storage is no longer
-required, by calling
+allocates a capability state in working storage,
+sets its state to
+that of the calling process,
+and returns a pointer to this newly
+created capability state.
+The caller should free any releasable
+memory,
+when the capability state in working storage is no longer
+required,
+by calling
.BR cap_free ()
with the
.I cap_t
@@ -58,45 +63,56 @@ capability state identified by
The new capability state of the process will be completely determined by
the contents of
.I cap_p
-upon successful return from this function. If any flag in
+upon successful return from this function.
+If any flag in
.I cap_p
is set for any capability not currently permitted for the calling process,
-the function will fail, and the capability state of the process will remain
+the function will fail,
+and the capability state of the process will remain
unchanged.
.PP
.BR cap_get_pid ()
returns a
.IR cap_t ,
-see
+see
.BR cap_init (3),
with the process capabilities of the process known to the caller as
.IR pid .
If
.I pid
-is 0, then the calling process's capabilities are returned.
+is 0,
+then the calling process's capabilities are returned.
This information can also be obtained from the
.I /proc/<pid>/status
-file. (The entries in that file can be translated with the
+file.
+(The entries in that file can be translated with the
.BI "capsh \-\-decode=" XXX
command line.) When the caller is operating within a
.RB ( CLONE_NEWPID )
-namespace, the numerical
+namespace,
+the numerical
.I pid
-argument is interpreted in the range of that namespace. As such, the
-caller's idea of the target
+argument is interpreted in the range of that namespace.
+As such,
+the caller's idea of the target
.I pid
may differ from that of the target process when they are operating in
-different pid namespaces. See
+different pid namespaces.
+See
.BR pid_namespaces (7)
for details.
-Further, the returned
+Further,
+the returned
.I cap_t
value holds the capabilities that the target
.I pid
-thinks it has. If the target is operating in a
+thinks it has.
+If the target is operating in a
.RB ( CLONE_NEWUSER )
-namespace, the system wide privilege of those user namespace
-capabilities my be substantially reduced. See
+namespace,
+the system wide privilege of those user namespace
+capabilities my be substantially reduced.
+See
.BR user_namespaces (7)
for details.
.PP
@@ -104,76 +120,100 @@ for details.
with a
.I cap
as an argument returns the current value of this bounding set
-capability flag in effect for the calling process. This operation is
-unprivileged. Note, a macro function
+capability flag in effect for the calling process.
+This operation is
+unprivileged.
+Note,
+a macro function
.BR "CAP_IS_SUPPORTED(cap_value_t " cap )
is provided that evaluates to true (1) if the system supports the
specified capability,
.IR cap .
-If the system does not support the capability, this function returns
-0. This macro works by testing for an error condition with
+If the system does not support the capability,
+this function returns
+0.
+This macro works by testing for an error condition with
.BR cap_get_bound ().
.PP
.BR cap_drop_bound ()
can be used to lower the specified bounding set capability,
.BR cap .
-To complete successfully, the prevailing
+To complete successfully,
+the prevailing
.I effective
capability set must have a raised
.BR CAP_SETPCAP .
.PP
.BR cap_get_ambient ()
-returns the prevailing value of the specified ambient capability, or
--1 if the capability is not supported by the running kernel. A macro
+returns the prevailing value of the specified ambient capability,
+or \-1 if the capability is not supported by the running kernel.
+A macro
.BR CAP_AMBIENT_SUPPORTED ()
uses this function to determine if ambient capabilities are supported
by the kernel.
.PP
.BR cap_set_ambient ()
-sets the specified ambient capability to a specific value. To complete
-successfully, the prevailing
+sets the specified ambient capability to a specific value.
+To complete successfully,
+the prevailing
.I effective
capability set must have a raised
.BR CAP_SETPCAP .
-Further, to raise a specific ambient capability the
+Further,
+to raise a specific ambient capability the
.IR inheritable " and " permitted
-sets of the calling process must contain the specified capability, and
-raised ambient bits will only be retained as long as this remains true.
+sets of the calling process must contain the specified capability,
+and raised ambient bits will only be retained
+as long as this remains true.
.PP
.BR cap_reset_ambient ()
resets all of the ambient capabilities for the calling process to
-their lowered value. Note, the ambient set is intended to operate in a
+their lowered value.
+Note,
+the ambient set is intended to operate in a
legacy environment where the application has limited awareness of
-capabilities in general. Executing a file, with associated filesystem
-capabilities, the kernel will implicitly reset the ambient set of the
-process. Further, changes to the inheritable set by the program code
+capabilities in general.
+Executing a file,
+with associated filesystem capabilities,
+the kernel will implicitly reset the ambient set of the
+process.
+Further,
+changes to the inheritable set by the program code
without explicitly fixing up the ambient set can also drop ambient
bits.
.PP
.BR cap_get_secbits ()
-returns the securebits of the calling process. These bits affect the
+returns the securebits of the calling process.
+These bits affect the
way in which the calling process implements things like setuid-root
fixup and ambient capabilities.
.PP
.BR cap_set_secbits ()
-attempts to modify the securebits of the calling process. Note
+attempts to modify the securebits of the calling process.
+Note
.B CAP_SETPCAP
-must be in the effective capability set for this to be effective. Some
-settings lock the sub-states of the securebits, so attempts to set values
+must be in the effective capability set for this to be effective.
+Some
+settings lock the sub-states of the securebits,
+so attempts to set values
may be denied by the kernel even when the
.B CAP_SETPCAP
capability is raised.
.PP
-To help manage the complexity of the securebits, libcap provides a
-combined securebit and capability set concept called a libcap mode.
+To help manage the complexity of the securebits,
+libcap provides a combined securebit
+and capability set concept called a libcap mode.
.BR cap_get_mode ()
attempts to summarize the prevailing security environment in the form
of a numerical
.B cap_mode_t
-value. A text representation of the mode can be obtained via the
+value.
+A text representation of the mode can be obtained via the
.BR cap_mode_name ()
-function. The vast majority of combinations of these values are not well
-defined in terms of a libcap mode, and for these states
+function.
+The vast majority of combinations of these values are not well
+defined in terms of a libcap mode,
+and for these states
.BR cap_get_mode ()
returns
.RB ( cap_mode_t )0
@@ -191,47 +231,57 @@ can be used to read state via the \fBprc
can be used to write state via the \fBprctl\fI()\fP system call.
.PP
.BR cap_set_mode ()
-can be used to set the desired mode. The permitted capability
+can be used to set the desired mode.
+The permitted capability
.B CAP_SETPCAP
is required for this function to succeed.
.PP
.BR cap_setuid ()
is a convenience function for the
.BR setuid (2)
-system call. Where
+system call.
+Where
.BR cap_setuid ()
arranges for the right effective capability to be raised in order to
-perform the system call, and also arranges to preserve the
+perform the system call,
+and also arranges to preserve the
availability of permitted capabilities after the uid has
-changed. Following this call all effective capabilities are lowered.
+changed.
+Following this call all effective capabilities are lowered.
.PP
.BR cap_setgroups ()
is a convenience function for performing both
.BR setgid (2)
and
.BR setgroups (2)
-calls in one call. The
+calls in one call.
+The
.BR cap_setgroups ()
-call raises the right effective capability for the duration of the
-call, and empties the effective capability set before returning.
+call raises the right effective capability for the duration of the call,
+and empties the effective capability set before returning.
.SH "RETURN VALUE"
The functions
.BR cap_get_proc ()
and
.BR cap_get_pid ()
-return a non-NULL value on success, and NULL on failure.
+return a non-NULL value on success,
+and NULL on failure.
.PP
The function
.BR cap_get_bound ()
-returns \-1 if the requested capability is unknown, otherwise the
+returns \-1 if the requested capability is unknown,
+otherwise the
return value reflects the current state of that capability in the
-prevailing bounding set. Note, a macro function,
+prevailing bounding set.
+Note,
+a macro function,
.PP
The all of the setting functions such as
.BR cap_set_proc ()
and
.BR cap_drop_bound ()
-return zero for success, and \-1 on failure.
+return zero for success,
+and \-1 on failure.
.PP
On failure,
.I errno
@@ -248,17 +298,24 @@ are specified in the withdrawn POSIX.1e
.BR cap_get_pid ()
is a Linux extension.
.SH "NOTES"
-Neither glibc, nor the Linux kernel honors POSIX semantics for setting
-capabilities and securebits in the presence of pthreads. That is,
-changing capability sets, by default, only affect the running
-thread. To be meaningfully secure, however, the capability sets should
-be mirrored by all threads within a common program because threads are
-not memory isolated. As a workaround for this,
+Neither glibc,
+nor the Linux kernel honors POSIX semantics for setting
+capabilities and securebits in the presence of pthreads.
+That is,
+changing capability sets,
+by default,
+only affect the running thread.
+To be meaningfully secure,
+however,
+the capability sets should be mirrored by all threads within a common program
+because threads are not memory isolated.
+As a workaround for this,
.B libcap
is packaged with a separate POSIX semantics system call library:
.BR libpsx .
-If your program uses POSIX threads, to achieve meaningful POSIX
-semantics capability manipulation, you should link your program with:
+If your program uses POSIX threads,
+to achieve meaningful POSIX semantics capability manipulation,
+you should link your program with:
.sp
.B ld ... \-lcap \-lpsx \-lpthread \-\-wrap=pthread_create
.sp
@@ -266,9 +323,13 @@ or,
.sp
.B gcc ... \-lcap \-lpsx \-lpthread \-Wl,\-wrap,pthread_create
.sp
-When linked this way, due to linker magic, libcap uses
+When linked this way,
+due to linker magic,
+libcap uses
.BR psx_syscall "(3) and " psx_syscall6 (3)
-to perform state setting system calls. Notably, this also ensures that
+to perform state setting system calls.
+Notably,
+this also ensures that
.BI cap_prctlw ()
can be used to ensure process control bits are shared over all threads
of a single process.
@@ -280,13 +341,15 @@ The library also supports the deprecated
.BI "int capsetp(pid_t " pid ", cap_t " cap_d );
.PP
.BR capgetp ()
-attempts to obtain the capabilities of some other process; storing the
-capabilities in a pre-allocated
+attempts to obtain the capabilities of some other process;
+storing the capabilities in a pre-allocated
.IR cap_d .
See
.BR cap_init ()
-for information on allocating an empty capability set. This function
-is deprecated; you should use
+for information on allocating an empty capability set.
+This function
+is deprecated;
+you should use
.BR cap_get_pid ().
.PP
.BR capsetp ()
@@ -301,18 +364,22 @@ for information on which kernels provide
.PP
If
.I pid
-is positive it refers to a specific process; if it is zero, it refers
-to the calling process; \-1 refers to all processes other than the
-calling process and process '1' (typically
+is positive it refers to a specific process;
+if it is zero,
+it refers to the calling process;
+\-1 refers to all processes other than the calling process
+and process '1' (typically
.BR init (8));
other negative values refer to the
.I \-pid
process group.
.PP
-In order to use this function, the kernel must support
-it and the calling process must have
+In order to use this function,
+the kernel must support it
+and the calling process must have
.B CAP_SETPCAP
-raised in its Effective capability set. The capabilities set in the
+raised in its Effective capability set.
+The capabilities set in the
target process(es) are those contained in
.IR cap_d .
.PP
@@ -323,13 +390,17 @@ and on such systems,
will always fail for any target not
equal to the calling process.
.BR capsetp ()
-returns zero for success, and \-1 on failure.
+returns zero for success,
+and \-1 on failure.
.PP
On kernels where it is (was) supported,
.BR capsetp ()
-should be used with care. It existed, primarily, to overcome an early
-lack of support for capabilities in the filesystems supported by
-Linux. Note that on older kernels where
+should be used with care.
+It existed,
+primarily,
+to overcome an early lack of support for capabilities in the filesystems
+supported by Linux.
+Note that on older kernels where
.BR capsetp ()
could be used to set the capabilities of another process,
the only processes that had
@@ -369,10 +440,11 @@ effective capabilities for the caller:
...
.fi
-Alternatively, to completely drop privilege in a program launched
-setuid-root but wanting to run as a specific user ID etc. in such a
-way that neither it, nor any of its children can acquire privilege
-again:
+Alternatively,
+to completely drop privilege in a program launched setuid-root
+but wanting to run as a specific user ID etc.\& in such a way
+that neither it,
+nor any of its children can acquire privilege again:
.nf
...
@@ -393,7 +465,8 @@ again:
...
.fi
-Note, the above sequence can be performed by the
+Note,
+the above sequence can be performed by the
.B capsh
tool as follows:
.sp
Any program (person), that produces man pages, should check the output
for defects by using (both groff and nroff)
[gn]roff -mandoc -t -ww -b -z -K utf8 <man page>
The same goes for man pages that are used as an input.
For a style guide use
mandoc -T lint
-.-
Any "autogenerator" should check its products with the above mentioned
'groff', 'mandoc', and additionally with 'nroff ...'.
It should also check its input files for too long (> 80) lines.
This is just a simple quality control measure.
The "autogenerator" may have to be corrected to get a better man page,
the source file may, and any additional file may.
Common defects:
Not removing trailing spaces (in in- and output).
The reason for these trailing spaces should be found and eliminated.
Not beginning each input sentence on a new line.
Line length should thus be reduced.
The script "reportbug" uses 'quoted-printable' encoding when a line is
longer than 1024 characters in an 'ascii' file.
See man-pages(7), item "semantic newline".
-.-
The difference between the formatted output of the original and patched file
can be seen with:
nroff -mandoc <file1> > <out1>
nroff -mandoc <file2> > <out2>
diff -u <out1> <out2>
and for groff, using
\"printf '%s\n%s\n' '.kern 0' '.ss 12 0' | groff -mandoc -Z - \"
instead of 'nroff -mandoc'
Add the option '-t', if the file contains a table.
Read the output from 'diff -u ...' with 'less -R' or similar.
-.-.
If 'man' (man-db) is used to check the manual for warnings,
the following must be set:
The option \"-warnings=w\"
The environmental variable:
export MAN_KEEP_STDERR=yes (or any non-empty value)
or
(produce only warnings):
export MANROFFOPT=\"-ww -b -z\"
export MAN_KEEP_STDERR=yes (or any non-empty value)
-.-
