Capabilities were created as an alternative to classical two level privilege system: root and user. They split a root acount into their privileges. This way, linux kernel allows a process to perform certain root tipical tasks without giving a process full root privileges.
A process or a file, can be granted with a given capability. Each capability is independent from each other.
For instance, a user process with just CAP_NET_BIND_SERVICE
capability can open ports bellow 1024, however it can not kill any process or use chroot.
All linux kernel capabilities list can be found on man pages as well as code.
Instead of checking effective UID of user, modern kernels checks for capabilities, so they allow the privileged operation if capability bit is set in the effective set.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
|
There are four sets of capabilities:
- effective: capabilities that a process is allowed.
- permitted: capabilities that a process is permited. This allows to enable, disable or drop capabilities.
- inheritable: capabilities that a process can give to another process called, for instance, by calling
exec()
system call. - bounding set: Limit from capabilities can not be grown. They just can be dropped.
Credentials, therefore, are mostly a set of uids/guis, management flags, capabilities, namaspaces and cgroups.
As formerly happened with UID, GID and mode, capabilities are also part of VFS. They are called File Capabilities. They are store in f_cred
struct.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
|
This way, we can, for example ping some host on the internet using CAP_NET_RAW
capability.
Following is an example of setting a capability in command line interface.
1
|
|