What Are Kernel Capabilities? (35 Listed)

What Are Kernel Capabilities? (35 Listed)

 By Charles Joseph | Cybersecurity Advocate
 Last update: November 25, 2023

Kernel capabilities are a feature of the Linux kernel that allows fine-grained control over the privileges of a process.

They provide a way to divide the privileges traditionally associated with a superuser (root) into distinct units called capabilities.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

Each capability represents a specific set of permissions, and a process can be granted or denied these permissions individually, reducing the need for running processes with full root privileges.

There are many kernel capabilities, and their number may vary depending on the Linux kernel version.

35 Common Kernel Capabilities and Descriptions

CAP_CHOWNAllows changing the owner of files and directories.
CAP_DAC_OVERRIDEBypasses file read, write, and execute permission checks.
CAP_DAC_READ_SEARCHBypasses file read and search permission checks.
CAP_FOWNERBypasses permission checks for operations on files owned by other users.
CAP_FSETIDAllows setting the file’s set-user-ID and set-group-ID bits.
CAP_KILLAllows sending signals to any process.
CAP_SETGIDAllows setting arbitrary group IDs and calling setgroups().
CAP_SETUIDAllows setting arbitrary user IDs.
CAP_SETPCAPAllows transferring any capability to another process.
CAP_LINUX_IMMUTABLEAllows setting the immutable flag on files.
CAP_NET_BIND_SERVICEAllows binding to privileged ports (ports below 1024).
CAP_NET_BROADCASTAllows broadcasting and listening to multicasts.
CAP_NET_ADMINAllows administration of network devices, sockets, and routing tables.
CAP_NET_RAWAllows using RAW and PACKET sockets.
CAP_IPC_LOCKAllows locking memory (mlock, mlockall).
CAP_IPC_OWNERAllows bypassing permission checks for System V IPC objects.
CAP_SYS_MODULEAllows loading and unloading kernel modules.
CAP_SYS_RAWIOAllows raw I/O on storage and network devices.
CAP_SYS_CHROOTAllows using chroot().
CAP_SYS_PTRACEAllows tracing other processes.
CAP_SYS_PACCTAllows configuring process accounting.
CAP_SYS_ADMINAllows a wide range of system administration operations, such as mounting file systems, setting the system clock, or configuring swap.
CAP_SYS_BOOTAllows rebooting or enabling/disabling the kernel’s “secure attention key.”
CAP_SYS_NICEAllows raising process nice values and setting real-time scheduling policies.
CAP_SYS_RESOURCEAllows overriding resource limits, setting disk quotas, and using reserved space on file systems.
CAP_SYS_TIMEAllows setting the system clock and real-time clock.
CAP_SYS_TTY_CONFIGAllows configuring tty devices.
CAP_MKNODAllows creating special files with mknod().
CAP_LEASEAllows establishing leases on files.
CAP_AUDIT_WRITEAllows writing to the kernel’s audit log.
CAP_AUDIT_CONTROLAllows configuring the kernel’s audit subsystem.
CAP_SETFCAPAllows setting capabilities on files.
CAP_MAC_OVERRIDEAllows overriding Mandatory Access Control (MAC) policies.
CAP_MAC_ADMINAllows configuring MAC policies.
CAP_SYSLOGAllows reading and writing to the kernel’s syslog.

This list is not exhaustive, and new capabilities may be added in future kernel versions.

To see the full list of capabilities for your specific kernel version, consult the capabilities(7) man page on your system, or refer to the Linux kernel documentation.

Practical Use of Linux Kernel Capabilities (Video)

"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional