For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process’s credentials (usually: effective UID, effective GID, and supplementary group list).
Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.
- Linux capabilities
- How to grant a special capability to a program or binary?
- How to run a binary by non-root account with a special capability?
- How to bypass root privilege using Linux capability?
- getcap, setcap and file capabilities
The following list shows the capabilities implemented on Linux, and the operations or behaviors that each capability permits:
- CAP_AUDIT_CONTROL: Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.
- CAP_NET_ADMIN: Perform various network-related operations
- CAP_SYS_ADMIN: Allows system admin operation
- CAP_KILL: Can send any signal to any process (such as sig kill)
- CAP_SYS_CHROOT: Ability to call chroot()
For complete list of capabilities and their description refer to the following upstream article.
Using the setcap command you can set capability.
setcap - set file capabilities setcap [-q] [-v] (capabilities|-|-r) filename [ ... capabilities file N ]
In the absence of the -v (verify) option setcap sets the capabilities of each specified filename to the capabilities specified. The -v option is used to verify that the specified capabilities are currently associated with the file.
- Set cap_net_raw (which allows ping to create raw sockets) and cap_net_admin capability to ping command.
# setcap cap_net_admin,cap_net_raw+ep /usr/bin/ping
Set cap_net_admin capability to /usr/bin/program2
# setcap cap_net_admin+ep /usr/bin/program2
Set cap_net_raw capability to /usr/bin/mtr-packet.
# setcap cap_net_raw+ep /usr/bin/mtr-packet
In the above command meaning of:
e: Effective: This means the capability is activated.
p: Permitted: This means the capability can be permitted.
i: Inherited: The capability is kept by child/sub-processes upon execve().
For more information refer to:
Execute getcap command to see the capabilities set to a binary.
$ getcap /usr/bin/ping /usr/bin/ping = cap_net_admin,cap_net_raw+p
Execute the following command to remove all capabilities from a binary.
# setcap -r <binary> Eg: The following command removes all capability from ping command with '-r' switch. # setcap -r /usr/bin/ping