From Helpful
Jump to: navigation, search
This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

Kernel capabilities are an implementation of POSIX capability-based security (see 1003.1e).

This means that instead of "you are now root and can do everything", usually via sudo or SUID root, you now have something much more fine-grained.

Basically, it means you can actually do some least privilege damming in of what ill intent and/or bugs may imply.

Capabilities roughly means they've organized syscalls into a bunch of groups, and allow granting per these groups.

Consider e.g. ping.

Historically this was SUID root, which it needed to create a raw socket. Yes, it drops it as soon as it doesn't need it, and in many practical ways this is pretty safe, but there is a period where it is entirely privileged.

Capabilities allow you to give ping CAP_NET_RAW (and maybe CAP_NET_ADMIN?), and none of the others.

In the case of ping, the OS's package manager installed it, and you can trust them to have done some security checks. This is less true of more custom software, though.

Such capabilities can also be used in a SUID-like way, by using xattr to assign them.

Note that ping itself doesn't care how it gets these things. In fact it doesn't even know, beyond the relevant syscalls (not) failing.