Linux capabilities

What are Linux capabilities?

Linux capabilities are part of the Linux kernel and provide fine-grained control over the privileges that process may have. With the use of capabilities, the kernel does not have to grant processes full superuser (root) permissions, but only a subset of permissions. This way a process can use specific privileged operations without having unrestricted access. The benefits include improving security and minimizing the risk of privilege escalation. See the capabilities overview for the full of Linux capabilities, their purpose, related syscalls and files.

Learn more about the purpose of Linux capabilities in the Linux capabilities 101 article.

Tools

All commands related to Linux capabilities
CommandDescription
capshcapsh provides a capability shell wrapper to test Linux capabilities
captestcaptest performs a set of tests related to capabilities and demonstrates them
filecapfilecap shows available capabilities set on binaries in $PATH or specified directory
firejailfirejail sandboxes applications
getcapgetcap queries the available file capabilities
getpcapsgetpcaps shows the available process capabilities
netcapnetcap shows an overview of network-related processes and their capabilities
pscappscap shows an overview of processes and their assigned capabilities
setcapsetcap adds or removes available file capabilities

Articles for Capabilities

Linux capabilities 101

Introduction guide and tutorial about the inner workings of Linux capabilities and how these capabilities are applied when running Linux processes.

Linux Capabilities: Hardening Linux binaries by removing setuid

Setuid binaries may be a risk for the system. We will investigate how to remove the setuid bit and use Linux capabilities instead, to reduce the risks.

Overview of Linux capabilities

Linux capabilities provide a way to separate privileged actions. This overview shows the available Linux capabilities and their purpose.