man 7 capabilities documents that the capabilities of a process on a linux box are recored a set of three masks:
I have an idea to what extend the inheritable mask would come to play but I am unclear about why there seems to be a need/use case to separate capabilities that are permitted from those that are effective?
Is there a case that some permitted capabilities are not effective? which could spice up an answer to this question?
Given the case some Capabilities are not effective and yet permitted, what keeps a process from setting them effective? It would seem to me at least that a rougue process would not hesitate to set all what is permitted as effetive, and normaly even attempt to escalate priveledges further?