capabilities

getcap [options] file...setcap capabilities filecapsh [options]

Linux capabilities divide the privileges traditionally held by root into distinct units that can be independently granted to executables. Starting with kernel 2.2, instead of running an entire program as root, specific capabilities allow granting only the permissions needed.For example, a web server that needs to bind to port 80 can be given only cap_net_bind_service instead of full root access. This follows the principle of least privilege, limiting damage from security vulnerabilities.Capabilities exist in three sets per thread: permitted (maximum capabilities available), effective (currently active for permission checks), and inheritable (preserved across execve). File capabilities are stored in extended attributes and control which capabilities are gained when a binary is executed.The libcap library provides user-space tools and APIs for managing capabilities, including getcap, setcap, and capsh.

getcap -r directory

Recursively search for files with capabilities.

Verbose output, display all searched files even without capabilities.

Set capability (flags: e=effective, p=permitted, i=inheritable). Use + to add, - to remove.

Remove all capabilities from a file.

Quiet mode, suppress warnings.

Print current capabilities and securebits.

Decode capability bitmask into human-readable names.

Drop a capability from the bounding set.

Set the prevailing process capabilities.

Set the keep-capabilities flag (0=off, 1=on).

cap_net_bind_service: Bind to ports below 1024cap_net_raw: Use raw sockets (e.g., ping)cap_net_admin: Network administration (interfaces, firewall, routing)cap_sys_admin: Broad system administration (mount, sethostname, etc.)cap_sys_ptrace: Trace arbitrary processes with ptracecap_dac_override: Bypass file read, write, and execute permission checkscap_setuid/cap_setgid: Change UID/GID of a processcap_chown: Change file ownership arbitrarilycap_kill: Send signals to any processcap_fowner: Bypass permission checks on operations that require file owner

Capabilities are Linux-specific and not portable to other Unix systems. Not all filesystems support capability extended attributes (e.g., NFS, FAT). Some applications check for UID 0 explicitly rather than capabilities. Capability inheritance rules are complex and easy to misconfigure. Docker and containers manage capabilities separately via their runtime configuration. cap_sys_admin is intentionally overloaded and grants a wide range of privileges.

POSIX capabilities were proposed in the POSIX.1e draft standard in the 1990s, though the standard was never finalized. Linux implemented capabilities starting in kernel 2.2 (1999), with significant improvements in 2.6.24 (2008) adding file capabilities. The feature has become increasingly important for containerization and security-conscious system administration.

getcap(8), setcap(8), capsh(1)