Hi Alejandro / linux-man mailing list,

I think there is an error in the "capabilities(7)" man page. It says, 
under the heading "Capabilities and execution of programs by root", the 
following:

        Thus, when a process with nonzero UIDs execve(2)s a set-user-ID-root
        program that does not have capabilities attached, or when a process
        whose real and effective UIDs are zero execve(2)s a program, the
        calculation of the process's new permitted capabilities 
simplifies to:

            P'(permitted)   = P(inheritable) | P(bounding)

            P'(effective)   = P'(permitted)

        Consequently, the process gains all capabilities in its 
permitted and
        effective capability sets, except those masked out by the capability
        bounding set.

While it seems odd, I think the "|" in "P(inheritable) | P(bounding)" is 
actually correct: the permitted permissions become those that were 
either inheritable or in the process bounding set. However this 
contradicts the final paragraph copied above: "the process all 
capabilities in its permitted and effective capability sets" - no, it 
gains all the capabilities in *its inheritable and bounding* sets - 
"except those masked by the capability bounding set" - no, capabilities 
from the inheritable set are _not_ masked by the bounding set.

Regards,

Davin