Code Listing 1.1: CAP_CHOWN
In a system with the [_POSIX_CHOWN_RESTRICTED] option defined,
this overrides the restriction of changing file ownership and
Code Listing 2.1: CAP_DAC_OVERRIDE
Override all DAC access, including ACL execute access
if [_POSIX_ACL] is defined.
Excluding DAC access covered by CAP_LINUX_IMMUTABLE.
Code Listing 3.1: CAP_DAC_READ_SEARCH
Overrides all DAC restrictions, regarding read and search on files
and directories, including ACL restrictions, if [_POSIX_ACL] is
defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE.
Code Listing 4.1: CAP_FOWNER
Overrides all restrictions about allowed operations on files, where
file owner ID must be equal to the user ID, except where CAP_FSETID
is applicable. It doesn't override MAC and DAC restrictions.
Code Listing 5.1: CAP_FSETID
Overrides the following restrictions, that the effective user ID shall
match the file owner ID, when setting the S_ISUID and S_ISGID bits on
that file; that the effective group ID (or one of the supplementary
group IDs) shall match the file owner ID when setting the S_ISGID bit
on that file; that the S_ISUID and S_ISGID bits are cleared on
successful return from chown(2) (not implemented).
Code Listing 6.1: CAP_FS_MASK
Used to decide between falling back on the old suser() or fsuser().
Code Listing 7.1: CAP_KILL
Overrides the restriction, that the real or effective user ID of a process,
sending a signal, must match the real or effective user ID of the process,
receiving the signal.
Code Listing 8.1: CAP_SETGID
Allows setgid(2) manipulation;
Allows forged gids on socket credentials passing.
Code Listing 9.1: CAP_SETUID
Allows set*uid(2) manipulation (including fsuid);
Allows forged pids on socket credentials passing.
Code Listing 10.1: CAP_SETPCAP
Transfer any capability in your permitted set to any pid, remove any capability in your permitted set from any pid.
Code Listing 11.1: CAP_LINUX_IMMUTABLE
Allow modification of S_IMMUTABLE and S_APPEND file attributes.
Code Listing 12.1: CAP_NET_BIND_SERVICE
Allows binding to TCP/UDP sockets below 1024;
Allows binding to ATM VCIs below 32.
Code Listing 13.1: CAP_NET_BROADCAST
Allow broadcasting, listen to multicast.
Code Listing 14.1: CAP_NET_ADMIN
Allow interface configuration;
Allow administration of IP firewall, masquerading and accounting;
Allow setting debug option on sockets;
Allow modification of routing tables;
Allow setting arbitrary process / process group ownership on sockets;
Allow binding to any address for transparent proxying;
Allow setting TOS (type of service);
Allow setting promiscuous mode;
Allow clearing driver statistics;
Allow read/write of devicespecific registers;
Allow activation of ATM control sockets.
Code Listing 15.1: CAP_NET_RAW
Allow use of RAW sockets;
Allow use of PACKET sockets.
Code Listing 16.1: CAP_IPC_LOCK
Allow locking of shared memory segments;
Allow mlock and mlockall (which doesn't really have anything to do with IPC).
Code Listing 17.1: CAP_IPC_OWNER
Override IPC ownership checks.
Code Listing 18.1: CAP_SYS_MODULE
Insert and remove kernel modules modify kernel without limit;
Code Listing 19.1: CAP_SYS_RAWIO
Allow ioperm/iopl access;
Allow sending USB messages to any device via /proc/bus/usb.
Code Listing 20.1: CAP_SYS_CHROOT
Allow use of chroot().
Code Listing 21.1: CAP_SYS_PTRACE
Allow ptrace() of any process.
Code Listing 22.1: CAP_SYS_PACCT
Allow configuration of process accounting.
Code Listing 23.1: CAP_SYS_ADMIN
Allow configuration of the secure attention key;
Allow administration of the random device;
Allow examination and configuration of disk quotas;
Allow configuring the kernel's syslog (printk behaviour);
Allow setting the domainname;
Allow setting the hostname;
Allow calling bdflush();
Allow mount() and umount(), setting up new smb connection;
Allow some autofs root ioctls;
Allow nfsservctl; Allow VM86_REQUEST_IRQ;
Allow to read/write pci config on alpha; Allow irix_prctl on mips (setstacksize);
Allow flushing all cache on m68k (sys_cacheflush);
Allow removing semaphores; Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores and shared memory;
Allow locking/unlocking of shared memory segment;
Allow turning swap on/off;
Allow forged pids on socket credentials passing;
Allow setting readahead and flushing buffers on block devices;
Allow setting geometry in floppy driver;
Allow turning DMA on/off in xd driver;
Allow administration of md devices (mostly the above, but some extra ioctls);
Allow tuning the ide driver;
Allow access to the nvram device;
Allow administration of apm_bios, serial and bttv (TV) device;
Allow manufacturer commands in isdn CAPI support driver;
Allow reading nonstandardized portions of pci configuration space;
Allow DDI debug ioctl on sbpcd driver;
Allow setting up serial ports;
Allow sending raw qic117 commands;
Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands;
Allow setting encryption key on loopback filesystem.
Code Listing 24.1: CAP_SYS_BOOT
Allow use of reboot().
Code Listing 25.1: CAP_SYS_NICE
Allow raising priority and setting priority on other (different UID) processes;
Allow use of FIFO and roundrobin (realtime) scheduling on own processes and setting
the scheduling algorithm used by another process.
Code Listing 26.1: CAP_SYS_RESOURCE
Override resource limits. Set resource limits;
Override quota limits;
Override reserved space on ext2 filesystem;
Modify data journaling mode on ext3 filesystem
(uses journaling resources); NOTE: ext2 honors fsuid when checking for
resource overrides, so you can override using fsuid too;
Override size restrictions on IPC message queues;
Allow more than 64hz interrupts from the realtime clock;
Override max number of consoles on console allocation;
Override max number of keymaps.
Code Listing 27.1: CAP_SYS_TIME
Allow manipulation of system clock;
Allow irix_stime on mips;
Allow setting the realtime clock.
Code Listing 28.1: CAP_SYS_TTY_CONFIG
Allow configuration of tty devices; Allow vhangup() of tty.
Code Listing 29.1: CAP_MKNOD
Allow the privileged aspects of mknod().
Code Listing 30.1: CAP_LEASE
Allow taking of leases on files.
Page updated January 22, 2005
POSIX capabilities are a partitioning of the all powerful root privilege into a
set of distinct privileges
Donate to support our development efforts.