Linux Capabilities
What is Linux Capabilities?
Linux CapabilitiesA Linux kernel feature defined by POSIX.1e draft that splits the all-powerful root privilege into 40-plus discrete capabilities granted independently to processes and files.
Linux capabilities were introduced in kernel 2.2 to break the binary divide between unprivileged user and omnipotent root. The kernel exposes about 40 discrete privileges — CAP_NET_BIND_SERVICE, CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE, etc. — that can be granted to processes or stamped on executables as file capabilities. They follow the POSIX.1e draft standard. Userspace tools shipped with libcap include capsh (inspect and manipulate a shell's capability set), getcap and setcap (read or assign file capabilities), and getpcaps. Container runtimes such as Docker and containerd grant a default subset (drop CAP_SYS_ADMIN, keep CAP_NET_BIND_SERVICE) and Kubernetes Pod Security Standards restrict them further. Capabilities are foundational for least-privilege design on Linux servers and CNCF-style workloads.
● Examples
- 01
Granting only CAP_NET_BIND_SERVICE to a non-root process so it can listen on TCP port 80 without being root.
- 02
Using "capsh --print" inside a container to confirm that CAP_SYS_ADMIN has been dropped.
● Frequently asked questions
What is Linux Capabilities?
A Linux kernel feature defined by POSIX.1e draft that splits the all-powerful root privilege into 40-plus discrete capabilities granted independently to processes and files. It belongs to the Identity & Access category of cybersecurity.
What does Linux Capabilities mean?
A Linux kernel feature defined by POSIX.1e draft that splits the all-powerful root privilege into 40-plus discrete capabilities granted independently to processes and files.
How does Linux Capabilities work?
Linux capabilities were introduced in kernel 2.2 to break the binary divide between unprivileged user and omnipotent root. The kernel exposes about 40 discrete privileges — CAP_NET_BIND_SERVICE, CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE, etc. — that can be granted to processes or stamped on executables as file capabilities. They follow the POSIX.1e draft standard. Userspace tools shipped with libcap include capsh (inspect and manipulate a shell's capability set), getcap and setcap (read or assign file capabilities), and getpcaps. Container runtimes such as Docker and containerd grant a default subset (drop CAP_SYS_ADMIN, keep CAP_NET_BIND_SERVICE) and Kubernetes Pod Security Standards restrict them further. Capabilities are foundational for least-privilege design on Linux servers and CNCF-style workloads.
How do you defend against Linux Capabilities?
Defences for Linux Capabilities typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Linux Capabilities?
Common alternative names include: POSIX capabilities, Linux caps.
● Related terms
- identity-access№ 120
BPF LSM
A Linux Security Module that lets verified eBPF programs attach to LSM hooks and enforce custom Mandatory Access Control decisions on syscalls, files, sockets, and capabilities.
- identity-access№ 585
Kernel Mode vs User Mode
The two CPU privilege levels enforced by modern operating systems — kernel mode (supervisor, ring 0) with full hardware access and user mode (ring 3) restricted to its own address space and limited instructions.
- cloud-security№ 600
Kubernetes Security
The protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
- vulnerabilities№ 860
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.
- cryptography№ 1006
SELinux
Security-Enhanced Linux, an NSA-developed mandatory access control framework implemented via the Linux Security Module hooks and a type-enforcement policy.
● See also
- № 367eBPF Security