Linux capabilities are special attributes in the Linux kernel that grant processes and binary executables specific privileges that are normally reserved for processes whose effective user ID is 0 (The root user, and only the root user, has UID 0).
Essentially, the goal of capabilities is to divide the power of ‘root’ into specific privileges, so that if a process or binary that has one or more capability is exploited, the potential damage is limited when compared to the same process running as root.
Capabilities can be set on processes and executable files. A process resulting from the execution of a file can gain the capabilities of that file.
The capabilities implemented on Linux are numerous, and many have been added since their original release. Some of them are as follows:
- CAP_CHOWN: Make changes to the User ID and Group ID of files
- CAP_DAC_OVERRIDE: Override DAC (Discretionary Access Control). For example, vto bypass read/write/execute permission checks.
- CAP_KILL: Bypass permission checks for sending signals to processes.
- CAP_SYS_NICE: Raise the niceness of processes (An explanation of niceness can be found here)
- CAP_SYS_TIME: Set the system and real-time hardware clock
What are kernel capabilities?
Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.
What are the Linux capabilities?
Linux capabilities are special attributes in the Linux kernel that grant processes and binary executables specific privileges that are normally reserved for processes whose effective user ID is 0 (The root user, and only the root user, has UID 0).
How many Linux capabilities are there?
The number of capabilities supported by recent Linux versions is close to 40. To see the highest capability number for your kernel, use the data from the /proc file system. The full list of available Linux capabilities for the active kernel can be displayed using the capsh command.
What are file capabilities in Linux?
File capabilities aim to provide fine-grained control over root permissions. These capabilities are a partitioning of the all root privileges into a set of distinct and independent privileges. Using this functionality, reduces/prevents the need to switch as the root user.
Where are Linux capabilities stored?
All the capabilities for processes and threads are stored in the status file under the process/thread directory in the /proc file system. These properties start “Cap” name. Alternatively, for a running process, you can get the hex-encoded capabilities and then later decode it with capsh.
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
- Apache Lucene Query Example - April 8, 2024
- Google Cloud: Step by Step Tutorials for setting up Multi-cluster Ingress (MCI) - April 7, 2024
- What is Multi-cluster Ingress (MCI) - April 7, 2024
