Capabilities

Overview

Linux capabilities split root privileges into fine-grained permissions. Containers drop most capabilities by default and add only what is needed.

Capability Sets

Effective: active privileges in use by the process. Permitted: privileges the process may make effective. Inheritable: privileges passed across exec. Bounding: hard upper limit for the process and its children. Ambient: privileges automatically added across exec when allowed.

Common Capabilities

CAP_NET_ADMIN for network config (routes, iptables). CAP_SYS_ADMIN broad system admin (often removed; too powerful). CAP_CHOWN, CAP_SETUID, CAP_SETGID for ownership and IDs.

Tools

capsh --print to inspect current capability sets. getcap and setcap for file capabilities.

Example: Grant Ping Without Full Root

$ sudo setcap cap_net_raw+ep /bin/ping
$ getcap /bin/ping

Container Notes

Default Docker profile removes many capabilities to reduce blast radius. Capabilities are enforced in addition to Linux/Containerization/LSM.

Related

• Linux/Containerization
• Linux/Permissions