Capabilities

Capabilities in Linux is a method to fine tune abilities(capabilties) of per process, and per thread.

The capabilities in Linux was first introduced in the kernel version 2.2 in 1999.

1. Examples

1.1. Make `ping` not to send ping packets

Modern Linux distributions, Ubuntu 20.04 for example, dropped sticky bits(SetUID) on the ping binary. Instead, the capability to send ICMP packets was given to the ping binary.

$ # Ubuntu 18.04
$ ls -l /bin/ping
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /bin/ping
$ # Ubuntu 20.04
$ ls -l /bin/ping
-rwxr-xr-x 1 root root 72776 Jan 31  2020 /bin/ping

You can check the capabilities of binary with getcap command.

$ getcap /bin/ping
/bin/ping cap_net_raw=ep

It says the cap_net_raw capability is set, so it can create a raw socket, and send packets.

If you want to drop the cap_net_raw capability, run setcap command.

$ setcap 'cap_net_raw-p' /bin/ping
$ getcap /bin/ping
/bin/ping =

2. Reference

Capabilities(7): https://man7.org/linux/man-pages/man7/capabilities.7.html

Capabilities

1. Examples

1.1. Make ping not to send ping packets

2. Reference

1.1. Make `ping` not to send ping packets