{"id":28522,"date":"2022-03-10T17:25:24","date_gmt":"2022-03-10T17:25:24","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=28522"},"modified":"2025-07-12T05:41:41","modified_gmt":"2025-07-12T05:41:41","slug":"linux-kernel-capabilities-of-rkt-docker-and-lxd","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/linux-kernel-capabilities-of-rkt-docker-and-lxd\/","title":{"rendered":"Linux Kernel Capabilities of Rkt, Docker and Lxd"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.researchgate.net\/profile\/Muhammad-Ali-Babar\/publication\/316602321\/figure\/tbl1\/AS:668884386455556@1536485873159\/Linux-Kernel-Capability-Usage-Summary.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Linux capabilities are special attributes in the Linux kernel that grant processes and binary executables specific privileges that are normally reserved for processes whose effective user ID is 0 (The root user, and only the root user, has UID 0).<\/p>\n\n\n\n<p>Essentially, the goal of capabilities is to divide the power of &#8216;root&#8217; into specific privileges, so that if a process or binary that has one or more capability is exploited, the potential damage is limited when compared to the same process running as root.<\/p>\n\n\n\n<p>Capabilities can be set on processes and executable files. A process resulting from the execution of a file can gain the capabilities of that file.<\/p>\n\n\n\n<p>The capabilities implemented on Linux are numerous, and many have been added since their original release. Some of them are as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>CAP_CHOWN: Make changes to the User ID and Group ID of files<\/li><li>CAP_DAC_OVERRIDE: Override DAC (Discretionary Access Control). For example, vto bypass read\/write\/execute permission checks.<\/li><li>CAP_KILL: Bypass permission checks for sending signals to processes.<\/li><li>CAP_SYS_NICE: Raise the niceness of processes (An explanation of niceness can be found here)<\/li><li>CAP_SYS_TIME: Set the system and real-time hardware clock<\/li><\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">What are kernel capabilities?<\/h1>\n\n\n\n<p>Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">What are the Linux capabilities?<\/h1>\n\n\n\n<p>Linux capabilities are special attributes in the Linux kernel that grant processes and binary executables specific privileges that are normally reserved for processes whose effective user ID is 0 (The root user, and only the root user, has UID 0).<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">How many Linux capabilities are there?<\/h1>\n\n\n\n<p>The number of capabilities supported by recent Linux versions is close to 40. To see the highest capability number for your kernel, use the data from the \/proc file system. The full list of available Linux capabilities for the active kernel can be displayed using the capsh command.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">What are file capabilities in Linux?<\/h1>\n\n\n\n<p>File capabilities aim to provide fine-grained control over root permissions. These capabilities are a partitioning of the all root privileges into a set of distinct and independent privileges. Using this functionality, reduces\/prevents the need to switch as the root user.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Where are Linux capabilities stored?<\/h1>\n\n\n\n<p>All the capabilities for processes and threads are stored in the status file under the process\/thread directory in the \/proc file system. These properties start &#8220;Cap&#8221; name. Alternatively, for a running process, you can get the hex-encoded capabilities and then later decode it with capsh.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Linux capabilities are special attributes in the Linux kernel that grant processes and binary executables specific privileges that are normally reserved for processes whose effective user ID is 0 (The&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[4862],"tags":[],"class_list":["post-28522","post","type-post","status-publish","format-standard","hentry","category-docker"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/28522","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=28522"}],"version-history":[{"count":2,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/28522\/revisions"}],"predecessor-version":[{"id":28524,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/28522\/revisions\/28524"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=28522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=28522"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=28522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}