Linux-Privs: Capabilities

2. Capabilities

In this chapter we list the capabilities known to the Linux Kernel. Firstly, we list the POSIX defined capabilities, and then those specific to Linux.

2.1 POSIX capabilities

Here we list the POSIX capabilities honored by Linux.

CAP_CHOWN

The #define for the symbol _POSIX_CHOWN_RESTRICTED, indicates that this capability (CAP_CHOWN) is known.

This capability enables the current process to change the owner of a file. Generally, file ownership is not changeable by a user: it is implied by the user that creates it.

CAP_DAC_OVERRIDE

The #define for the symbol _POSIX_ACL, indicates that Access Control Lists (an implementation of Discretionary Access Control) are supported by the kernel and that the following capabilities is known: CAP_DAC_OVERRIDE.

This capability overrides all DAC restrictions regarding read and search on files and directories, including ACL's.

CAP_DAC_READ_SEARCH

Overrides all restrictions about allowed operations on files, where file owner ID must be equal to the user ID, except where CAP_FSETID is applicable. It doesn't override MAC and DAC restrictions.

CAP_FOWNER

Overrides the following restrictions that the effective user ID shall match the file owner ID when setting the S_ISUID and S_ISGID bits on that file; that the effective group ID (or one of the supplementary group IDs) shall match the file's group owner ID when setting the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are cleared on successful return from chown(2).

CAP_FSETID

Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.

CAP_KILL

Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.

CAP_LINK_DIR

Overrides the restriction that a process cannot create or delete a hard link to a directory. This shall not override MAC and DAC policies.

CAP_SETFCAP

Allows the (re)setting of a files capabilities.

CAP_SETGID

Allows setgid(2) manipulation.

CAP_SETUID

Allows setuid(2) manipulation

CAP_SIGMASK

Overrides the restriction that no process may block SIGKILL and SIGSTOP.

CAP_MAC_DOWNGRADE

This capability is available if _POSIX_MAC is #define'd. This capability allows a process to downgrade an object's information label.

CAP_MAC_READ

This capability is available if _POSIX_MAC is #define'd. Allows a process to override MAC read restrictions.

CAP_MAC_RELABEL_SUBJ

This capability is available if _POSIX_MAC is #define'd. Allows a process to modify its own label.

CAP_MAC_UPGRADE

This capability is available if _POSIX_MAC is #define'd. This capability allows a process to upgrade an object's information label.

CAP_MAC_WRITE

This capability is available if _POSIX_MAC is #define'd. This capability overrides the MAC restrictions on writes.

CAP_INF_NOFLOAT_OBJ

This capability is available if _POSIX_INF is #define'd. This capability prevents a process' information label from floating during writes.

CAP_INF_NOFLOAT_SUBJ

This capability is available if _POSIX_INF is #define'd. This capability prevents the process' information label from floating during reads or executes.

CAP_INF_RELABEL_OBJ

This capability is available if _POSIX_INF is #define'd. This capability allows a process to change an object's information label.

CAP_INF_RELABEL_SUBJ

This capability is available if _POSIX_INF is #define'd. This capability allows a process to modify its own information label in violation of the overriding policy.

CAP_AUDIT_CONTROL

This capability is available if _POSIX_AUD is #define'd. This capability allows a process to modify the audit control parameters.

CAP_AUDIT_WRITE

This capability is available if _POSIX_AUD is #define'd. This capability allows a process to write data to the audit trail.

2.2 Linux specific capabilities

This section lists additional capabilities that are specific to Linux or not covered by the POSIX capability definitions.

CAP_LINUX_IMMUTABLE

Allow modification of S_IMMUTABLE and S_APPEND file attributes.

CAP_LINUX_KERNELD

Permission to act as kerneld.

CAP_LINUX_INSMOD

Allow installation of kernel modules.

CAP_LINUX_RMMOD

Allow removal of kernel modules.

CAP_LINUX_RAWIO

Allow ioperm/iopl access.

CAP_LINUX_ATTENTION

Allow configuration of the secure attention key.

CAP_LINUX_RANDOM

Allow administration of the random device.

2.3 Other capabilities

This sction lists those capabilities commonly found on other systems besides Linux, but which are not specified by POSIX.

CAP_NET_BIND_SERVICE

Allows binding to TCP/UDP sockets below 1024.

CAP_NET_BROADCAST

Allow broadcasting.

CAP_NET_DEBUG

Allow setting debug option on sockets.

CAP_NET_FIREWALL

Allow configuring of firewall stuff.

CAP_NET_IFCONFIG

Allow interface configuration.

CAP_NET_PACKET

Allow use of PACKET sockets.

CAP_NET_RAW

Allow use of RAW sockets.

CAP_NET_ROUTE

Allow modification of routing tables.

CAP_NET_SETID

CAP.FIXME: what is this about?.

CAP_IPC_LOCK

Allow locking of segments in memory.

CAP_IPC_OWNER

Override IPC ownership checks.

CAP_SYS_CHROOT

Allow use of chroot().

CAP_SYS_PTRACE

Allow ptrace() of any process.

CAP_SYS_ACCOUNT

Allow configuration of process accounting.

CAP_SYS_ADMIN

System Admin functions: mount et al.

CAP_SYS_BOOT

Allow use of reboot().

CAP_SYS_DEVICES

Allow device administration.

CAP_SYS_NICE

Allow use of renice() on others, and raising of priority.

CAP_SYS_RESOURCE

Override resource limits.

CAP_SYS_TIME

Allow manipulation of system clock.

CAP_SYS_TTY_CONFIG

Allow configuration of tty devices.

CAP_SYS_QUOTA

Allow examination and configuration of disk quotas.

Previous Next Table of Contents