Linux capabilities
What are Linux capabilities?
Linux capabilities are part of the Linux kernel and provide fine-grained control over the privileges that process may have. With the use of capabilities, the kernel does not have to grant processes full superuser (root) permissions, but only a subset of permissions. This way a process can use specific privileged operations without having unrestricted access. The benefits include improving security and minimizing the risk of privilege escalation. See the capabilities overview for the full of Linux capabilities, their purpose, related syscalls and files.
Learn more about the purpose of Linux capabilities in the Linux capabilities 101 article.
Tools
| Command | Description |
|---|---|
| capsh | capsh provides a capability shell wrapper to test Linux capabilities |
| captest | captest performs a set of tests related to capabilities and demonstrates them |
| filecap | filecap shows available capabilities set on binaries in $PATH or specified directory |
| firejail | firejail sandboxes applications |
| getcap | getcap queries the available file capabilities |
| getpcaps | getpcaps shows the available process capabilities |
| netcap | netcap shows an overview of network-related processes and their capabilities |
| pscap | pscap shows an overview of processes and their assigned capabilities |
| setcap | setcap adds or removes available file capabilities |
Articles for Capabilities
Introduction guide and tutorial about the inner workings of Linux capabilities and how these capabilities are applied when running Linux processes.
Setuid binaries may be a risk for the system. We will investigate how to remove the setuid bit and use Linux capabilities instead, to reduce the risks.
Linux capabilities provide a way to separate privileged actions. This overview shows the available Linux capabilities and their purpose.