CAPABILITIES
This chapter describes the Linux capabilities scheme, which divides the traditional
all-or-nothing UNIX privilege scheme into individual capabilities that can be inde-
pendently enabled or disabled. Using capabilities allows a program to perform
some privileged operations, while preventing it from performing others.39.1 Rationale for Capabilities
The traditional UNIX privilege scheme divides processes into two categories: those
whose effective user ID is 0 (superuser), which bypass all privilege checks, and all
other processes, which are subject to privilege checking according to their user and
group IDs.
The coarse granularity of this scheme is a problem. If we want to allow a process
to perform some operation that is permitted only to the superuser—for example,
changing the system time—then we must run that process with an effective user ID
of 0. (If an unprivileged user needs to perform such operations, this is typically
implemented using a set-user-ID-root program.) However, this grants the process
privileges to perform a host of other actions as well—for example, bypassing all per-
mission checks when accessing files—thus opening the door for a range of security
breaches if the program behaves in unexpected ways (which may be the conse-
quence of unforeseen circumstances, or because of deliberate manipulation by a
malicious user). The traditional way of dealing with this problem was outlined in
Chapter 38: we drop effective privileges (i.e., change from an effective user ID of 0,
while maintaining 0 in the saved set-user-ID) and temporarily reacquire them only
when needed.