.IP 2.
If the access mode specifies
.BR PTRACE_MODE_FSCREDS ,
-then for the check in the next step,
-employ the caller's filesystem user ID and group ID (see
-.BR credentials (7));
-otherwise (the access mode specifies
+then, for the check in the next step,
+employ the caller's filesystem UID and GID.
+(As noted in
+.BR credentials (7),
+the filesystem UID and GID almost always have the same values
+as the corresponding effective IDs.)
+
+Otherwise, the access mode specifies
.BR PTRACE_MODE_REALCREDS ,
-so) use the caller's real user ID and group ID.
+so use the caller's real UID and GID for the checks in the next step.
+(Most APIs that check the caller's UID and GID use the effective IDs.
+For historical reasons, the
+.BR PTRACE_MODE_REALCREDS
+check uses the real IDs instead.)
.IP 3.
Deny access if
.I neither