When I modify a file, the file capabilities I had set earlier are lost. Is this the expected behavior?
I first set a file capability:
$ setcap CAP_NET_RAW+ep ./test.txt
$ getcap ./test.txt
./test.txt = cap_net_raw+ep
As expected I found the file capability is set.
Then I modify the file.
$ echo hello >> ./test.txt
Now when I check the file capabilities, no capabilities are found.
$ getcap ./test.txt
Best Answer
Yes it is expected behaviour. I don't have a document that says it but you can see in this patch from 2007
security_inode_killpriv
is still in the kernel today, being called fromnotify_change
when an inode is changed in "response to write or truncate": seedentry_needs_remove_privs