Kernel capabilities are a feature of the Linux kernel that allows fine-grained control over the privileges of a process.
They provide a way to divide the privileges traditionally associated with a superuser (root) into distinct units called capabilities.
Stay One Step Ahead of Cyber Threats
Each capability represents a specific set of permissions, and a process can be granted or denied these permissions individually, reducing the need for running processes with full root privileges.
There are many kernel capabilities, and their number may vary depending on the Linux kernel version.
35 Common Kernel Capabilities and Descriptions
Capability | Description |
---|---|
CAP_CHOWN | Allows changing the owner of files and directories. |
CAP_DAC_OVERRIDE | Bypasses file read, write, and execute permission checks. |
CAP_DAC_READ_SEARCH | Bypasses file read and search permission checks. |
CAP_FOWNER | Bypasses permission checks for operations on files owned by other users. |
CAP_FSETID | Allows setting the file’s set-user-ID and set-group-ID bits. |
CAP_KILL | Allows sending signals to any process. |
CAP_SETGID | Allows setting arbitrary group IDs and calling setgroups(). |
CAP_SETUID | Allows setting arbitrary user IDs. |
CAP_SETPCAP | Allows transferring any capability to another process. |
CAP_LINUX_IMMUTABLE | Allows setting the immutable flag on files. |
CAP_NET_BIND_SERVICE | Allows binding to privileged ports (ports below 1024). |
CAP_NET_BROADCAST | Allows broadcasting and listening to multicasts. |
CAP_NET_ADMIN | Allows administration of network devices, sockets, and routing tables. |
CAP_NET_RAW | Allows using RAW and PACKET sockets. |
CAP_IPC_LOCK | Allows locking memory (mlock, mlockall). |
CAP_IPC_OWNER | Allows bypassing permission checks for System V IPC objects. |
CAP_SYS_MODULE | Allows loading and unloading kernel modules. |
CAP_SYS_RAWIO | Allows raw I/O on storage and network devices. |
CAP_SYS_CHROOT | Allows using chroot(). |
CAP_SYS_PTRACE | Allows tracing other processes. |
CAP_SYS_PACCT | Allows configuring process accounting. |
CAP_SYS_ADMIN | Allows a wide range of system administration operations, such as mounting file systems, setting the system clock, or configuring swap. |
CAP_SYS_BOOT | Allows rebooting or enabling/disabling the kernel’s “secure attention key.” |
CAP_SYS_NICE | Allows raising process nice values and setting real-time scheduling policies. |
CAP_SYS_RESOURCE | Allows overriding resource limits, setting disk quotas, and using reserved space on file systems. |
CAP_SYS_TIME | Allows setting the system clock and real-time clock. |
CAP_SYS_TTY_CONFIG | Allows configuring tty devices. |
CAP_MKNOD | Allows creating special files with mknod(). |
CAP_LEASE | Allows establishing leases on files. |
CAP_AUDIT_WRITE | Allows writing to the kernel’s audit log. |
CAP_AUDIT_CONTROL | Allows configuring the kernel’s audit subsystem. |
CAP_SETFCAP | Allows setting capabilities on files. |
CAP_MAC_OVERRIDE | Allows overriding Mandatory Access Control (MAC) policies. |
CAP_MAC_ADMIN | Allows configuring MAC policies. |
CAP_SYSLOG | Allows reading and writing to the kernel’s syslog. |
This list is not exhaustive, and new capabilities may be added in future kernel versions.
To see the full list of capabilities for your specific kernel version, consult the capabilities(7)
man page on your system, or refer to the Linux kernel documentation.
Practical Use of Linux Kernel Capabilities (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional