Musings

Linux capability support and use can be explored and constrained with this utility which is available on Fedora and downstream distributions. It also provides some debugging features useful for summarizing capability state. Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute. See the capabilities(7) man page for more information. Linux has implemented 7 of the capabilities outlined in the uncompleted (and defunct) POSIX 1003.1e specification, and another 20 plus Linux specific ones. $ capsh –print Current: = Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36 Securebits: 00/0x0/1’b0 secure-noroot: