Linux 101 : Linux capabilities - CAP_CHOWN, CAP_NET_ADMIN, ... -

What a processes can or can't do is defined by what is called the Linux capabilities.

We could give processes a set of capabilities that would dictate what they could do on a system.

Below a couple of example of Linux capabilities:
  • CAP_CHOWN: allows a process to change user - UID - and group ownership - GID - of a file.
  • CAP_NET_ADMIN: allows a process to perform a range of networking related tasks - changing network interfaces, routimg tables, ... -
  • CAP_SYS_ADMIN: allows a process to perform a set of system administrative operations - mounting-unmounting partitions, setting up the hostname, ... -
  • . . . . . .
To know the capabilities of a process, we use the below command to get its id:

Then we go into the "proc" filesystem that holds information about the running processes:

  • CapInh = Inherited capabilities
  • CapPrm = Permitted capabilities - the capabilities we could make effective -
  • CapEff = Actual capabilities that will be checked for each operation
  • CapBnd = Bounding set - all the capabilities available for a process -.
  • CapAmb = Ambient capabilities is set to give non-root processes capabilities without the use of the "setuid" feature. 
To get the values of the above Hexadecimal code in human-readable form, we use the below command:


Leave as a comment: