1 .\" Copyright (c) 2002 by Michael Kerrisk <mtk.manpages@gmail.com>
3 .\" %%%LICENSE_START(VERBATIM)
4 .\" Permission is granted to make and distribute verbatim copies of this
5 .\" manual provided the copyright notice and this permission notice are
6 .\" preserved on all copies.
8 .\" Permission is granted to copy and distribute modified versions of this
9 .\" manual under the conditions for verbatim copying, provided that the
10 .\" entire resulting derived work is distributed under the terms of a
11 .\" permission notice identical to this one.
13 .\" Since the Linux kernel and libraries are constantly changing, this
14 .\" manual page may be incorrect or out-of-date. The author(s) assume no
15 .\" responsibility for errors or omissions, or for damages resulting from
16 .\" the use of the information contained herein. The author(s) may not
17 .\" have taken the same level of care in the production of this manual,
18 .\" which is licensed free of charge, as they might when working
21 .\" Formatted or processed versions of this manual, if unaccompanied by
22 .\" the source, must acknowledge the copyright and authors of this work.
25 .\" 6 Aug 2002 - Initial Creation
26 .\" Modified 2003-05-23, Michael Kerrisk, <mtk.manpages@gmail.com>
27 .\" Modified 2004-05-27, Michael Kerrisk, <mtk.manpages@gmail.com>
28 .\" 2004-12-08, mtk Added O_NOATIME for CAP_FOWNER
29 .\" 2005-08-16, mtk, Added CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE
30 .\" 2008-07-15, Serge Hallyn <serue@us.bbm.com>
31 .\" Document file capabilities, per-process capability
32 .\" bounding set, changed semantics for CAP_SETPCAP,
33 .\" and other changes in 2.6.2[45].
34 .\" Add CAP_MAC_ADMIN, CAP_MAC_OVERRIDE, CAP_SETFCAP.
36 .\" Add text describing circumstances in which CAP_SETPCAP
37 .\" (theoretically) permits a thread to change the
38 .\" capability sets of another thread.
39 .\" Add section describing rules for programmatically
40 .\" adjusting thread capability sets.
41 .\" Describe rationale for capability bounding set.
42 .\" Document "securebits" flags.
43 .\" Add text noting that if we set the effective flag for one file
44 .\" capability, then we must also set the effective flag for all
45 .\" other capabilities where the permitted or inheritable bit is set.
46 .\" 2011-09-07, mtk/Serge hallyn: Add CAP_SYSLOG
48 .TH CAPABILITIES 7 2016-12-12 "Linux" "Linux Programmer's Manual"
50 capabilities \- overview of Linux capabilities
52 For the purpose of performing permission checks,
53 traditional UNIX implementations distinguish two categories of processes:
55 processes (whose effective user ID is 0, referred to as superuser or root),
58 processes (whose effective UID is nonzero).
59 Privileged processes bypass all kernel permission checks,
60 while unprivileged processes are subject to full permission
61 checking based on the process's credentials
62 (usually: effective UID, effective GID, and supplementary group list).
64 Starting with kernel 2.2, Linux divides the privileges traditionally
65 associated with superuser into distinct units, known as
67 which can be independently enabled and disabled.
68 Capabilities are a per-thread attribute.
71 The following list shows the capabilities implemented on Linux,
72 and the operations or behaviors that each capability permits:
74 .BR CAP_AUDIT_CONTROL " (since Linux 2.6.11)"
75 Enable and disable kernel auditing; change auditing filter rules;
76 retrieve auditing status and filtering rules.
78 .BR CAP_AUDIT_READ " (since Linux 3.16)"
79 .\" commit a29b694aa1739f9d76538e34ae25524f9c549d59
80 .\" commit 3a101b8de0d39403b2c7e5c23fd0b005668acf48
81 Allow reading the audit log via a multicast netlink socket.
83 .BR CAP_AUDIT_WRITE " (since Linux 2.6.11)"
84 Write records to kernel auditing log.
86 .BR CAP_BLOCK_SUSPEND " (since Linux 3.5)"
87 Employ features that can block system suspend
90 .IR /proc/sys/wake_lock ).
93 Make arbitrary changes to file UIDs and GIDs (see
97 Bypass file read, write, and execute permission checks.
98 (DAC is an abbreviation of "discretionary access control".)
100 .B CAP_DAC_READ_SEARCH
104 Bypass file read permission checks and
105 directory read and execute permission checks;
108 .BR open_by_handle_at (2);
113 flag to create a link to a file referred to by a file descriptor.
121 Bypass permission checks on operations that normally
122 require the filesystem UID of the process to match the UID of
126 excluding those operations covered by
129 .BR CAP_DAC_READ_SEARCH ;
132 .BR ioctl_iflags (2))
135 set Access Control Lists (ACLs) on arbitrary files;
137 ignore directory sticky bit on file deletion;
141 for arbitrary files in
152 Don't clear set-user-ID and set-group-ID mode
153 bits when a file is modified;
155 set the set-group-ID bit for a file whose GID does not match
156 the filesystem or any of the supplementary GIDs of the calling process.
161 .\" FIXME . As at Linux 3.2, there are some strange uses of this capability
162 .\" in other places; they probably should be replaced with something else.
170 Bypass permission checks for operations on System V IPC objects.
173 Bypass permission checks for sending signals (see
175 This includes use of the
179 .\" FIXME . CAP_KILL also has an effect for threads + setting child
180 .\" termination signal to other than SIGCHLD: without this
181 .\" capability, the termination signal reverts to SIGCHLD
182 .\" if the child does an exec(). What is the rationale
185 .BR CAP_LEASE " (since Linux 2.4)"
186 Establish leases on arbitrary files (see
189 .B CAP_LINUX_IMMUTABLE
195 .BR ioctl_iflags (2)).
197 .BR CAP_MAC_ADMIN " (since Linux 2.6.25)"
198 Override Mandatory Access Control (MAC).
199 Implemented for the Smack Linux Security Module (LSM).
201 .BR CAP_MAC_OVERRIDE " (since Linux 2.6.25)"
202 Allow MAC configuration or state changes.
203 Implemented for the Smack LSM.
205 .BR CAP_MKNOD " (since Linux 2.4)"
206 Create special files using
210 Perform various network-related operations:
214 interface configuration;
216 administration of IP firewall, masquerading, and accounting;
218 modify routing tables;
220 bind to any address for transparent proxying;
222 set type-of-service (TOS)
224 clear driver statistics;
226 set promiscuous mode;
228 enabling multicasting;
232 to set the following socket options:
236 (for a priority outside the range 0 to 6),
243 .B CAP_NET_BIND_SERVICE
244 Bind a socket to Internet domain privileged ports
245 (port numbers less than 1024).
248 (Unused) Make socket broadcasts, and listen to multicasts.
254 Use RAW and PACKET sockets;
256 bind to any address for transparent proxying.
259 .\" Also various IP options and setsockopt(SO_BINDTODEVICE)
265 Make arbitrary manipulations of process GIDs and supplementary GID list;
267 forge GID when passing socket credentials via UNIX domain sockets;
269 write a group ID mapping in a user namespace (see
270 .BR user_namespaces (7)).
274 .BR CAP_SETFCAP " (since Linux 2.6.24)"
275 Set file capabilities.
278 If file capabilities are not supported:
279 grant or remove any capability in the
280 caller's permitted capability set to or from any other process.
283 is not available when the kernel is configured to support
284 file capabilities, since
286 has entirely different semantics for such kernels.)
288 If file capabilities are supported:
289 add any capability from the calling thread's bounding set
290 to its inheritable set;
291 drop capabilities from the bounding set (via
293 .BR PR_CAPBSET_DROP );
302 Make arbitrary manipulations of process UIDs
308 forge UID when passing socket credentials via UNIX domain sockets;
310 write a user ID mapping in a user namespace (see
311 .BR user_namespaces (7)).
314 .\" FIXME CAP_SETUID also an effect in exec(); document this.
318 this capability is overloaded; see
319 .IR "Notes to kernel developers" ,
325 Perform a range of system administration operations including:
333 .BR setdomainname (2);
337 operations (since Linux 2.6.37,
339 should be used to permit such operations);
350 operations on arbitrary System V IPC objects;
356 perform operations on
360 Extended Attributes (see
364 .BR lookup_dcookie (2);
370 and (before Linux 2.6.25)
372 I/O scheduling classes;
374 forge PID when passing socket credentials via UNIX domain sockets;
377 .IR /proc/sys/fs/file-max ,
378 the system-wide limit on the number of open files,
379 in system calls that open files (e.g.,
387 flags that create new namespaces with
391 (but, since Linux 3.8,
392 creating user namespaces does not require any capability);
395 .BR perf_event_open (2);
410 .BR fanotify_init (2);
424 .B PTRACE_SECCOMP_GET_FILTER
425 to dump a tracees seccomp filters;
435 to insert characters into the input queue of a terminal other than
436 the caller's controlling terminal;
446 perform various privileged block-device
450 perform various privileged filesystem
463 filter without first having to set the
467 modify allow/deny rules for device control groups;
471 .B PTRACE_SECCOMP_GET_FILTER
472 operation to dump tracee's seccomp filters;
477 operation to suspend the tracee's seccomp protections (i.e., the
478 .B PTRACE_O_SUSPEND_SECCOMP
481 perform administrative operations on many device drivers.
499 Load and unload kernel modules
503 .BR delete_module (2));
505 in kernels before 2.6.25:
506 drop capabilities from the system-wide capability bounding set.
514 Raise process nice value
517 and change the nice value for arbitrary processes;
519 set real-time scheduling policies for calling process,
520 and set scheduling policies and priorities for arbitrary processes
521 .RB ( sched_setscheduler (2),
522 .BR sched_setparam (2),
523 .BR shed_setattr (2));
525 set CPU affinity for arbitrary processes
526 .RB ( sched_setaffinity (2));
528 set I/O scheduling class and priority for arbitrary processes
529 .RB ( ioprio_set (2));
532 .BR migrate_pages (2)
533 to arbitrary processes and allow processes
534 to be migrated to arbitrary nodes;
535 .\" FIXME CAP_SYS_NICE also has the following effect for
536 .\" migrate_pages(2):
537 .\" do_migrate_pages(mm, &old, &new,
538 .\" capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
544 to arbitrary processes;
563 Trace arbitrary processes using
567 .BR get_robust_list (2)
568 to arbitrary processes;
570 transfer data to or from the memory of arbitrary processes using
571 .BR process_vm_readv (2)
573 .BR process_vm_writev (2);
575 inspect processes using
584 Perform I/O port operations
597 open devices for accessing x86 model-specific registers (MSRs, see
601 .IR /proc/sys/vm/mmap_min_addr ;
603 create memory mappings at addresses below the value specified by
604 .IR /proc/sys/vm/mmap_min_addr ;
614 perform various SCSI device commands;
616 perform certain operations on
622 perform a range of device-specific operations on other devices.
630 Use reserved space on ext2 filesystems;
634 calls controlling ext3 journaling;
636 override disk quota limits;
638 increase resource limits (see
645 override maximum number of consoles on console allocation;
647 override maximum number of keymaps;
649 allow more than 64hz interrupts from the real-time clock;
653 limit for a System V message queue above the limit in
654 .I /proc/sys/kernel/msgmnb
662 resource limit on the number of "in-flight" file descriptors
663 to be bypassed when passing file descriptors to another process
664 via a UNIX domain socket (see
668 .I /proc/sys/fs/pipe-size-max
669 limit when setting the capacity of a pipe using the
676 to increase the capacity of a pipe above the limit specified by
677 .IR /proc/sys/fs/pipe-max-size ;
680 .I /proc/sys/fs/mqueue/queues_max
681 limit when creating POSIX message queues (see
682 .BR mq_overview (7));
690 .IR /proc/[pid]/oom_score_adj
691 to a value lower than the value last set by a process with
692 .BR CAP_SYS_RESOURCE .
698 .RB ( settimeofday (2),
701 set real-time (hardware) clock.
703 .B CAP_SYS_TTY_CONFIG
706 employ various privileged
708 operations on virtual terminals.
710 .BR CAP_SYSLOG " (since Linux 2.6.37)"
719 for information on which operations require privilege.
721 View kernel addresses exposed via
723 and other interfaces when
724 .IR /proc/sys/kernel/kptr_restrict
726 (See the discussion of the
733 .BR CAP_WAKE_ALARM " (since Linux 3.0)"
734 Trigger something that will wake up the system (set
735 .B CLOCK_REALTIME_ALARM
737 .B CLOCK_BOOTTIME_ALARM
740 .SS Past and current implementation
741 A full implementation of capabilities requires that:
743 For all privileged operations,
744 the kernel must check whether the thread has the required
745 capability in its effective set.
747 The kernel must provide system calls allowing a thread's capability sets to
748 be changed and retrieved.
750 The filesystem must support attaching capabilities to an executable file,
751 so that a process gains those capabilities when the file is executed.
753 Before kernel 2.6.24, only the first two of these requirements are met;
754 since kernel 2.6.24, all three requirements are met.
756 .SS Notes to kernel developers
757 When adding a new kernel feature that should be governed by a capability,
758 consider the following points.
760 The goal of capabilities is divide the power of superuser into pieces,
761 such that if a program that has one or more capabilities is compromised,
762 its power to do damage to the system would be less than the same program
763 running with root privilege.
765 You have the choice of either creating a new capability for your new feature,
766 or associating the feature with one of the existing capabilities.
767 In order to keep the set of capabilities to a manageable size,
768 the latter option is preferable,
769 unless there are compelling reasons to take the former option.
770 (There is also a technical limit:
771 the size of capability sets is currently limited to 64 bits.)
773 To determine which existing capability might best be associated
774 with your new feature, review the list of capabilities above in order
775 to find a "silo" into which your new feature best fits.
776 One approach to take is to determine if there are other features
777 requiring capabilities that will always be use along with the new feature.
778 If the new feature is useless without these other features,
779 you should use the same capability as the other features.
784 if you can possibly avoid it!
785 A vast proportion of existing capability checks are associated
786 with this capability (see the partial list above).
787 It can plausibly be called "the new root",
788 since on the one hand, it confers a wide range of powers,
789 and on the other hand,
790 its broad scope means that this is the capability
791 that is required by many privileged programs.
792 Don't make the problem worse.
793 The only new features that should be associated with
797 match existing uses in that silo.
799 If you have determined that it really is necessary to create
800 a new capability for your feature,
801 don't make or name it as a "single-use" capability.
802 Thus, for example, the addition of the highly specific
804 was probably a mistake.
805 Instead, try to identify and name your new capability as a broader
806 silo into which other related future use cases might fit.
808 .SS Thread capability sets
809 Each thread has three capability sets containing zero or more
810 of the above capabilities:
813 This is a limiting superset for the effective
814 capabilities that the thread may assume.
815 It is also a limiting superset for the capabilities that
816 may be added to the inheritable set by a thread that does not have the
818 capability in its effective set.
820 If a thread drops a capability from its permitted set,
821 it can never reacquire that capability (unless it
823 either a set-user-ID-root program, or
824 a program whose associated file capabilities grant that capability).
827 This is a set of capabilities preserved across an
829 Inheritable capabilities remain inheritable when executing any program,
830 and inheritable capabilities are added to the permitted set when executing
831 a program that has the corresponding bits set in the file inheritable set.
833 Because inheritable capabilities are not generally preserved across
835 when running as a non-root user, applications that wish to run helper
836 programs with elevated capabilities should consider using
837 ambient capabilities, described below.
840 This is the set of capabilities used by the kernel to
841 perform permission checks for the thread.
843 .IR Ambient " (since Linux 4.3):"
844 .\" commit 58319057b7847667f0c9585b9de0e8932b0fdb08
845 This is a set of capabilities that are preserved across an
847 of a program that is not privileged.
848 The ambient capability set obeys the invariant that no capability
849 can ever be ambient if it is not both permitted and inheritable.
851 The ambient capability set can be directly modified using
853 Ambient capabilities are automatically lowered if either of
854 the corresponding permitted or inheritable capabilities is lowered.
856 Executing a program that changes UID or GID due to the
857 set-user-ID or set-group-ID bits or executing a program that has
858 any file capabilities set will clear the ambient set.
859 Ambient capabilities are added to the permitted set and
860 assigned to the effective set when
866 inherits copies of its parent's capability sets.
867 See below for a discussion of the treatment of capabilities during
872 a thread may manipulate its own capability sets (see below).
874 Since Linux 3.2, the file
875 .I /proc/sys/kernel/cap_last_cap
876 .\" commit 73efc0394e148d0e15583e13712637831f926720
877 exposes the numerical value of the highest capability
878 supported by the running kernel;
879 this can be used to determine the highest bit
880 that may be set in a capability set.
882 .SS File capabilities
883 Since kernel 2.6.24, the kernel supports
884 associating capability sets with an executable file using
886 The file capability sets are stored in an extended attribute (see
889 .IR "security.capability" .
890 Writing to this extended attribute requires the
893 The file capability sets,
894 in conjunction with the capability sets of the thread,
895 determine the capabilities of a thread after an
898 The three file capability sets are:
900 .IR Permitted " (formerly known as " forced ):
901 These capabilities are automatically permitted to the thread,
902 regardless of the thread's inheritable capabilities.
904 .IR Inheritable " (formerly known as " allowed ):
905 This set is ANDed with the thread's inheritable set to determine which
906 inheritable capabilities are enabled in the permitted set of
911 This is not a set, but rather just a single bit.
912 If this bit is set, then during an
914 all of the new permitted capabilities for the thread are
915 also raised in the effective set.
916 If this bit is not set, then after an
918 none of the new permitted capabilities is in the new effective set.
920 Enabling the file effective capability bit implies
921 that any file permitted or inheritable capability that causes a
922 thread to acquire the corresponding permitted capability during an
924 (see the transformation rules described below) will also acquire that
925 capability in its effective set.
926 Therefore, when assigning capabilities to a file
928 .BR cap_set_file (3),
930 if we specify the effective flag as being enabled for any capability,
931 then the effective flag must also be specified as enabled
932 for all other capabilities for which the corresponding permitted or
933 inheritable flags is enabled.
936 .SS Transformation of capabilities during execve()
940 the kernel calculates the new capabilities of
941 the process using the following algorithm:
945 P'(ambient) = (file is privileged) ? 0 : P(ambient)
947 P'(permitted) = (P(inheritable) & F(inheritable)) |
948 (F(permitted) & cap_bset) | P'(ambient)
950 P'(effective) = F(effective) ? P'(permitted) : P'(ambient)
952 P'(inheritable) = P(inheritable) [i.e., unchanged]
959 denotes the value of a thread capability set before the
962 denotes the value of a thread capability set after the
965 denotes a file capability set
967 is the value of the capability bounding set (described below).
970 A privileged file is one that has capabilities or
971 has the set-user-ID or set-group-ID bit set.
974 the capability transitions described above may
976 performed (i.e., file capabilities may be ignored) for the same reasons
977 that the set-user-ID and set-group-ID bits are ignored; see
980 .SS Safety checking for capability-dumb binaries
981 A capability-dumb binary is an application that has been
982 marked to have file capabilities, but has not been converted to use the
984 API to manipulate its capabilities.
985 (In other words, this is a traditional set-user-ID-root program
986 that has been switched to use file capabilities,
987 but whose code has not been modified to understand capabilities.)
988 For such applications,
989 the effective capability bit is set on the file,
990 so that the file permitted capabilities are automatically
991 enabled in the process effective set when executing the file.
992 The kernel recognizes a file which has the effective capability bit set
993 as capability-dumb for the purpose of the check described here.
995 When executing a capability-dumb binary,
996 the kernel checks if the process obtained all permitted capabilities
997 that were specified in the file permitted set,
998 after the capability transformations described above have been performed.
999 (The typical reason why this might
1001 occur is that the capability bounding set masked out some
1002 of the capabilities in the file permitted set.)
1003 If the process did not obtain the full set of
1004 file permitted capabilities, then
1006 fails with the error
1008 This prevents possible security risks that could arise when
1009 a capability-dumb application is executed with less privilege that it needs.
1010 Note that, by definition,
1011 the application could not itself recognize this problem,
1012 since it does not employ the
1016 .SS Capabilities and execution of programs by root
1017 In order to provide an all-powerful
1019 using capability sets, during an
1022 If a set-user-ID-root program is being executed,
1023 or the real user ID of the process is 0 (root)
1024 then the file inheritable and permitted sets are defined to be all ones
1025 (i.e., all capabilities enabled).
1027 If a set-user-ID-root program is being executed,
1028 then the file effective bit is defined to be one (enabled).
1030 The upshot of the above rules,
1031 combined with the capabilities transformations described above,
1032 is that when a process
1034 a set-user-ID-root program, or when a process with an effective UID of 0
1037 it gains all capabilities in its permitted and effective capability sets,
1038 except those masked out by the capability bounding set.
1039 .\" If a process with real UID 0, and nonzero effective UID does an
1040 .\" exec(), then it gets all capabilities in its
1041 .\" permitted set, and no effective capabilities
1042 This provides semantics that are the same as those provided by
1043 traditional UNIX systems.
1044 .SS Capability bounding set
1045 The capability bounding set is a security mechanism that can be used
1046 to limit the capabilities that can be gained during an
1048 The bounding set is used in the following ways:
1052 the capability bounding set is ANDed with the file permitted
1053 capability set, and the result of this operation is assigned to the
1054 thread's permitted capability set.
1055 The capability bounding set thus places a limit on the permitted
1056 capabilities that may be granted by an executable file.
1058 (Since Linux 2.6.25)
1059 The capability bounding set acts as a limiting superset for
1060 the capabilities that a thread can add to its inheritable set using
1062 This means that if a capability is not in the bounding set,
1063 then a thread can't add this capability to its
1064 inheritable set, even if it was in its permitted capabilities,
1065 and thereby cannot have this capability preserved in its
1066 permitted set when it
1068 a file that has the capability in its inheritable set.
1070 Note that the bounding set masks the file permitted capabilities,
1071 but not the inherited capabilities.
1072 If a thread maintains a capability in its inherited set
1073 that is not in its bounding set,
1074 then it can still gain that capability in its permitted set
1075 by executing a file that has the capability in its inherited set.
1077 Depending on the kernel version, the capability bounding set is either
1078 a system-wide attribute, or a per-process attribute.
1080 .B "Capability bounding set prior to Linux 2.6.25"
1082 In kernels before 2.6.25, the capability bounding set is a system-wide
1083 attribute that affects all threads on the system.
1084 The bounding set is accessible via the file
1085 .IR /proc/sys/kernel/cap-bound .
1086 (Confusingly, this bit mask parameter is expressed as a
1087 signed decimal number in
1088 .IR /proc/sys/kernel/cap-bound .)
1092 process may set capabilities in the capability bounding set;
1093 other than that, the superuser (more precisely: programs with the
1095 capability) may only clear capabilities from this set.
1097 On a standard system the capability bounding set always masks out the
1100 To remove this restriction (dangerous!), modify the definition of
1103 .I include/linux/capability.h
1104 and rebuild the kernel.
1106 The system-wide capability bounding set feature was added
1107 to Linux starting with kernel version 2.2.11.
1110 .B "Capability bounding set from Linux 2.6.25 onward"
1112 From Linux 2.6.25, the
1113 .I "capability bounding set"
1114 is a per-thread attribute.
1115 (There is no longer a system-wide capability bounding set.)
1117 The bounding set is inherited at
1119 from the thread's parent, and is preserved across an
1122 A thread may remove capabilities from its capability bounding set using the
1125 operation, provided it has the
1128 Once a capability has been dropped from the bounding set,
1129 it cannot be restored to that set.
1130 A thread can determine if a capability is in its bounding set using the
1135 Removing capabilities from the bounding set is supported only if file
1136 capabilities are compiled into the kernel.
1137 In kernels before Linux 2.6.33,
1138 file capabilities were an optional feature configurable via the
1139 .B CONFIG_SECURITY_FILE_CAPABILITIES
1142 .\" commit b3a222e52e4d4be77cc4520a57af1a4a0d8222d1
1143 the configuration option has been removed
1144 and file capabilities are always part of the kernel.
1145 When file capabilities are compiled into the kernel, the
1147 process (the ancestor of all processes) begins with a full bounding set.
1148 If file capabilities are not compiled into the kernel, then
1150 begins with a full bounding set minus
1152 because this capability has a different meaning when there are
1153 no file capabilities.
1155 Removing a capability from the bounding set does not remove it
1156 from the thread's inherited set.
1157 However it does prevent the capability from being added
1158 back into the thread's inherited set in the future.
1161 .SS Effect of user ID changes on capabilities
1162 To preserve the traditional semantics for transitions between
1163 0 and nonzero user IDs,
1164 the kernel makes the following changes to a thread's capability
1165 sets on changes to the thread's real, effective, saved set,
1166 and filesystem user IDs (using
1171 If one or more of the real, effective or saved set user IDs
1172 was previously 0, and as a result of the UID changes all of these IDs
1173 have a nonzero value,
1174 then all capabilities are cleared from the permitted and effective
1177 If the effective user ID is changed from 0 to nonzero,
1178 then all capabilities are cleared from the effective set.
1180 If the effective user ID is changed from nonzero to 0,
1181 then the permitted set is copied to the effective set.
1183 If the filesystem user ID is changed from 0 to nonzero (see
1185 then the following capabilities are cleared from the effective set:
1187 .BR CAP_DAC_OVERRIDE ,
1188 .BR CAP_DAC_READ_SEARCH ,
1191 .B CAP_LINUX_IMMUTABLE
1192 (since Linux 2.6.30),
1193 .BR CAP_MAC_OVERRIDE ,
1196 (since Linux 2.6.30).
1197 If the filesystem UID is changed from nonzero to 0,
1198 then any of these capabilities that are enabled in the permitted set
1199 are enabled in the effective set.
1201 If a thread that has a 0 value for one or more of its user IDs wants
1202 to prevent its permitted capability set being cleared when it resets
1203 all of its user IDs to nonzero values, it can do so using the
1208 securebits flag described below.
1210 .SS Programmatically adjusting capability sets
1211 A thread can retrieve and change its capability sets using the
1217 .BR cap_get_proc (3)
1219 .BR cap_set_proc (3),
1220 both provided in the
1223 is preferred for this purpose.
1224 The following rules govern changes to the thread capability sets:
1226 If the caller does not have the
1229 the new inheritable set must be a subset of the combination
1230 of the existing inheritable and permitted sets.
1232 (Since Linux 2.6.25)
1233 The new inheritable set must be a subset of the combination of the
1234 existing inheritable set and the capability bounding set.
1236 The new permitted set must be a subset of the existing permitted set
1237 (i.e., it is not possible to acquire permitted capabilities
1238 that the thread does not currently have).
1240 The new effective set must be a subset of the new permitted set.
1241 .SS The securebits flags: establishing a capabilities-only environment
1242 .\" For some background:
1243 .\" see http://lwn.net/Articles/280279/ and
1244 .\" http://article.gmane.org/gmane.linux.kernel.lsm/5476/
1245 Starting with kernel 2.6.26,
1246 and with a kernel in which file capabilities are enabled,
1247 Linux implements a set of per-thread
1249 flags that can be used to disable special handling of capabilities for UID 0
1251 These flags are as follows:
1254 Setting this flag allows a thread that has one or more 0 UIDs to retain
1255 its capabilities when it switches all of its UIDs to a nonzero value.
1256 If this flag is not set,
1257 then such a UID switch causes the thread to lose all capabilities.
1258 This flag is always cleared on an
1260 (This flag provides the same functionality as the older
1265 .B SECBIT_NO_SETUID_FIXUP
1266 Setting this flag stops the kernel from adjusting capability sets when
1267 the thread's effective and filesystem UIDs are switched between
1268 zero and nonzero values.
1270 .IR "Effect of user ID changes on capabilities" .)
1273 If this bit is set, then the kernel does not grant capabilities
1274 when a set-user-ID-root program is executed, or when a process with
1275 an effective or real UID of 0 calls
1278 .IR "Capabilities and execution of programs by root" .)
1280 .B SECBIT_NO_CAP_AMBIENT_RAISE
1281 Setting this flag disallows raising ambient capabilities via the
1283 .BR PR_CAP_AMBIENT_RAISE
1286 Each of the above "base" flags has a companion "locked" flag.
1287 Setting any of the "locked" flags is irreversible,
1288 and has the effect of preventing further changes to the
1289 corresponding "base" flag.
1290 The locked flags are:
1291 .BR SECBIT_KEEP_CAPS_LOCKED ,
1292 .BR SECBIT_NO_SETUID_FIXUP_LOCKED ,
1293 .BR SECBIT_NOROOT_LOCKED ,
1295 .BR SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED .
1299 flags can be modified and retrieved using the
1301 .B PR_SET_SECUREBITS
1303 .B PR_GET_SECUREBITS
1307 capability is required to modify the flags.
1311 flags are inherited by child processes.
1314 all of the flags are preserved, except
1316 which is always cleared.
1318 An application can use the following call to lock itself,
1319 and all of its descendants,
1320 into an environment where the only way of gaining capabilities
1321 is by executing a program with associated file capabilities:
1325 prctl(PR_SET_SECUREBITS,
1326 /* SECBIT_KEEP_CAPS off */
1327 SECBIT_KEEP_CAPS_LOCKED |
1328 SECBIT_NO_SETUID_FIXUP |
1329 SECBIT_NO_SETUID_FIXUP_LOCKED |
1331 SECBIT_NOROOT_LOCKED);
1332 /* Setting/locking SECURE_NO_CAP_AMBIENT_RAISE
1336 .SS Interaction with user namespaces
1337 For a discussion of the interaction of capabilities and user namespaces, see
1338 .BR user_namespaces (7).
1341 No standards govern capabilities, but the Linux capability implementation
1342 is based on the withdrawn POSIX.1e draft standard; see
1343 .UR http://wt.tuxomania.net\:/publications\:/posix.1e/
1346 From kernel 2.5.27 to kernel 2.6.26,
1347 .\" commit 5915eb53861c5776cfec33ca4fcc1fd20d66dd27 removed
1348 .\" CONFIG_SECURITY_CAPABILITIES
1349 capabilities were an optional kernel component,
1350 and could be enabled/disabled via the
1351 .B CONFIG_SECURITY_CAPABILITIES
1352 kernel configuration option.
1355 .I /proc/[pid]/task/TID/status
1356 file can be used to view the capability sets of a thread.
1358 .I /proc/[pid]/status
1359 file shows the capability sets of a process's main thread.
1360 Before Linux 3.8, nonexistent capabilities were shown as being
1361 enabled (1) in these sets.
1363 .\" 7b9a7ec565505699f503b4fcf61500dceb36e744
1364 all nonexistent capabilities (above
1366 are shown as disabled (0).
1370 package provides a suite of routines for setting and
1371 getting capabilities that is more comfortable and less likely
1372 to change than the interface provided by
1376 This package also provides the
1383 .UR http://www.kernel.org\:/pub\:/linux\:/libs\:/security\:/linux\-privs
1386 Before kernel 2.6.24, and from kernel 2.6.24 to kernel 2.6.32 if
1387 file capabilities are not enabled, a thread with the
1389 capability can manipulate the capabilities of threads other than itself.
1390 However, this is only theoretically possible,
1391 since no thread ever has
1393 in either of these cases:
1395 In the pre-2.6.25 implementation the system-wide capability bounding set,
1396 .IR /proc/sys/kernel/cap-bound ,
1397 always masks out this capability, and this can not be changed
1398 without modifying the kernel source and rebuilding.
1400 If file capabilities are disabled in the current implementation, then
1402 starts out with this capability removed from its per-process bounding
1403 set, and that bounding set is inherited by all other processes
1404 created on the system.
1411 .BR cap_copy_ext (3),
1412 .BR cap_from_text (3),
1413 .BR cap_get_file (3),
1414 .BR cap_get_proc (3),
1420 .BR credentials (7),
1422 .BR user_namespaces (7),
1426 .I include/linux/capability.h
1427 in the Linux kernel source tree