What a processes can or can't do is defined by what is called the Linux capabilities.
We could give processes a set of capabilities that would dictate what they could do on a system.
Below a couple of example of Linux capabilities:
- CAP_CHOWN: allows a process to change user - UID - and group ownership - GID - of a file.
- CAP_NET_ADMIN: allows a process to perform a range of networking related tasks - changing network interfaces, routimg tables, ... -
- CAP_SYS_ADMIN: allows a process to perform a set of system administrative operations - mounting-unmounting partitions, setting up the hostname, ... -
- . . . . . .
To know the capabilities of a process, we use the below command to get its id:
Then we go into the "proc" filesystem that holds information about the running processes:
- CapInh = Inherited capabilities
- CapPrm = Permitted capabilities - the capabilities we could make effective -
- CapEff = Actual capabilities that will be checked for each operation
- CapBnd = Bounding set - all the capabilities available for a process -.
- CapAmb = Ambient capabilities is set to give non-root processes capabilities without the use of the "setuid" feature.
To get the values of the above Hexadecimal code in human-readable form, we use the below command: