Stack Overflow
Stack Overflow

Questions tagged [linux-capabilities]

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero).

Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

174 questions
491
votes
25 answers

Is there a way for non-root processes to bind to "privileged" ports on Linux?

It's very annoying to have this limitation on my development box, when there won't ever be any users other than me. I'm aware of the standard workarounds, but none of them do exactly what I want: authbind (The version in Debian testing, 1.0, only…
Jason C
  • 21,377
  • 10
  • 38
  • 33
88
votes
4 answers

Privileged containers and capabilities

If I am running a container in privileged mode, does it have all the Kernel capabilities or do I need to add them separately?
codefx
  • 9,872
  • 16
  • 53
  • 81
47
votes
4 answers

Is it possible to configure Linux capabilities per user?

There appears to be support for fine-grained capabilities in Linux kernel, which allows granting privileges to a process to do things like, for example, opening raw sockets or raising thread priority without granting the process root…
Alex B
  • 82,554
  • 44
  • 203
  • 280
39
votes
5 answers

How to find out what Linux capabilities a process requires to work?

I am in a difficult situation where I don't know what Linux capabilities a process requires to work. What is the best way, or any way, to find out what capability is required? The only thing I can think of right now is using capsh and drop all…
rand0m
  • 903
  • 2
  • 8
  • 16
37
votes
5 answers

Linux capabilities (setcap) seems to disable LD_LIBRARY_PATH

I use LD_LIBRARY_PATH to set the path of a certain user library for an application. But if I set capabilities on this application sudo setcap CAP_NET_BIND_SERVICE=eip myapplication then LD_LIBRARY_PATH seems to be ignored. When I launch the…
Lorenzo Pistone
  • 5,028
  • 3
  • 34
  • 65
33
votes
4 answers

How to get libcap (Linux capabilities library) for Android?

Are the Linux capabilities (libcap.so) library available for use with Android? If not, how can I compile it? I would like to use the capabilities-related API in sys/capabilities.h, which is included with the NDK. But when I try to call functions…
zer0stimulus
  • 22,306
  • 30
  • 110
  • 141
22
votes
2 answers

Newer versions of docker have --cap-add, what CAP's can be added?

Newer versions of docker (I think 1.2 and later) have a --cap-add feature. This gives fine grained control of feature capabilities without opening up everything with --privileged=true. I've googled it, but can't find a list of capabilities and what…
hookenz
  • 36,432
  • 45
  • 177
  • 286
16
votes
4 answers

How can we add capabilities to a running docker container?

Is it possible to add a capability (for ex: NET_ADMIN) after the container has actually started? I started a container few days ago and a service provided by it is being used by several other processes which are running remotely on other servers. I…
VanagaS
  • 3,130
  • 3
  • 27
  • 41
14
votes
1 answer

Raw capture capabilities (CAP_NET_RAW, CAP_NET_ADMIN) not working outside /usr/bin and friends for packet capture program using libpcap

TL;DR: Why are cap_net_raw, cap_net_admin capabilities only working in /usr/bin (or /usr/sbin), but not other places? Can this be configured someplace? I'm having problems assigning capabilities to my C program utilizing libpcap in Ubuntu 14.04.…
dirkhas
  • 151
  • 1
  • 1
  • 6
13
votes
1 answer

Docker-Compose: order of cap_drop and cap_add?

The docker compose file reference describes the cap_add and cap_drop elements in a rather terse fashion: Add or drop container capabilities. See man 7 capabilities for a full list. Do these elements have an order, that is, add first, then drop? Or…
TheDiveO
  • 2,183
  • 2
  • 19
  • 38
12
votes
1 answer

How to use CAP_SYS_ADMIN

Can somebody please explain to me how to use or set CAP_SYS_ADMIN in c? I need that capability to unmount a usb drive but don't know how to use it.
Ste
  • 271
  • 1
  • 2
  • 13
11
votes
6 answers

gdb appears to ignore executable capabilities

I am debugging a program that makes use of libnetfilter_queue. The documentation states that a userspace queue-handling application needs the CAP_NET_ADMIN capability to function. I have done this using the setcap utility as follows: $ sudo setcap…
Aidan Steele
  • 10,999
  • 6
  • 38
  • 59
11
votes
1 answer

Which capabilities can I drop in a Docker Nginx container?

I'm running Nginx in a Docker container, and I would like to drop as many Linux capabilities as possible, for security reasons. Which capabilities can I then drop? The image is similar to the standard Docker Nginx Alpine image here:…
KajMagnus
  • 11,308
  • 15
  • 79
  • 127
11
votes
3 answers

How to execute a process with CAP_SYS_RESOURCE

I'm using Linux POSIX mqueue implementation, and I have a problem. For current kernel, the max message size is 1MB, but I need to have no limit. man mq_overview says that if the process is privileged (a process that has CAP_SYS_RESOURCE capability)…
Leonardo Alt
  • 325
  • 3
  • 9
11
votes
2 answers

Python Scapy sniff without root

I'm wondering if there is any possibility to run Scapy's 'sniff(...)' without root priveleges. It is used in an application, where certain packages are captured. But I don't want to run the whole application with root permissions or change anything…
Martin
  • 594
  • 1
  • 8
  • 32
1
2 3
11 12