capabilities(4)capabilities(4)NAMEcapabilities - capability mechanism
SYNOPSIS
#include <sys/capability.h>
DESCRIPTION
The capability mechanism provides fine grained control over the
privileges of a process. As a process attribute, a capability allows the
process to perform a specific set of restricted operations, without
granting general override of the system's protection scheme. A process
can possess multiple capabilities. Collectively, all defined
capabilities comprise the set of abilities that are traditionally
associated with the root user.
Defined capabilities are:
CAP_ACCT_MGT
Privilege to use accounting setup acct(2) system call and
acctctl(3c) library call.
CAP_AUDIT_CONTROL
Privilege to manage the system audit trail (satread(2) and
satwrite(2) system calls).
CAP_AUDIT_WRITE
Privilege to write to the system audit trail, satwrite(2) system
call.
CAP_CHOWN
Privilege to change the owner of a file not owned by the process
when the system is configured with _POSIX_CHOWN_RESTRICTED enabled.
CAP_CHROOT
Privilege to use the chroot(2) system call.
CAP_DAC_EXECUTE
Privilege to execute a file when the permissions or Access Control
List prohibit it.
CAP_DAC_READ_SEARCH
Privilege to read a file or search a directory when the permissions
or Access Control List prohibit it.
CAP_DAC_WRITE
Privilege to write a file or update a directory when the permissions
or Access Control List prohibit it.
CAP_DEVICE_MGT
Privilege to issue restricted device management calls and ioctl
actions.
Page 1
capabilities(4)capabilities(4)
CAP_FOWNER
Privilege to operate on a file as if the process owns it (for
example, change permissions, ownership, access times, etc.).
CAP_FSETID
Privilege to set the setuid or setgid bits of a file without being
the owner. Also, the privilege to change the owner of a setuid or
setgid file.
CAP_INF_DOWNGRADE
Not supported, silently ignored.
CAP_INF_NOFLOAT_OBJ
Not supported, silently ignored.
CAP_INF_NOFLOAT_SUBJ
Not supported, silently ignored.
CAP_INF_RELABEL_SUBJ
Not supported, silently ignored.
CAP_INF_UPGRADE
Not supported, silently ignored.
CAP_KILL
Privilege to send a signal to a process that is not owned by the
sender. Also, privilege to use process synchronization calls
(procblk) to a process.
CAP_LINK_DIR
Not supported.
CAP_MAC_DOWNGRADE
Privilege to change the MAC label of an object to a value that is
dominated by the previous label. (Only on systems with MAC
enabled.)
CAP_MAC_MLD
Allows a process to change its own MAC label to a moldy label. A
process with a moldy label can view the hidden directory structure
of a multilevel directory. (Only on systems with MAC enabled.)
CAP_MAC_READ
Privilege to read information whose MAC label dominates that of the
reader. (Only on systems with MAC enabled.)
CAP_MAC_RELABEL_OPEN
Privilege to change the MAC label of an open file. (Only on systems
with MAC enabled.)
Page 2
capabilities(4)capabilities(4)
CAP_MAC_RELABEL_SUBJ
Allows a process to change its own MAC label. (Only on systems with
MAC enabled.)
CAP_MAC_UPGRADE
Privilege to change the MAC label of an object to a value that
dominates the previous label. (Only on systems with MAC enabled.)
CAP_MAC_WRITE
Privilege to write information whose MAC label does not equal that
of the writer. (Only on systems with MAC enabled.)
CAP_MEMORY_MGT
Privilege to issue restricted memory management calls, primarily
memory locking.
CAP_MKNOD
Alias for CAP_DEVICE_MGT.
CAP_MOUNT_MGT
Privilege to use the mount(2) and unmount(2) system calls.
CAP_NETWORK_MGT
Privilege to issue restricted networking calls (for example, setting
the network interface MAC address, network interface device
management, etc.).
CAP_NVRAM_MGT
Alias for CAP_SYSINFO_MGT.
CAP_PRIV_PORT
Privilege to open a socket on a privileged TCP port.
CAP_PROC_MGT
Privilege to issue restricted process management calls.
CAP_QUOTA_MGT
Privilege to issue restricted quota management calls.
CAP_SCHED_MGT
Privilege to issue restricted scheduler calls, such as the real time
scheduler interfaces.
CAP_SETFCAP
Privilege to change the capability sets of a file.
CAP_SETGID
Allows a process to change its real GID, effective GID, saved GID,
and process group ID.
Page 3
capabilities(4)capabilities(4)
CAP_SETPCAP
Allows a process to change its capability sets.
CAP_SETUID
Allows a process to change its real, effective and saved UIDs.
CAP_SHUTDOWN
Privilege to shutdown or reboot the system. This capability alone
may be insufficient to perform the /etc/shutdown operation.
CAP_SIGMASK
Not supported, silently ignored.
CAP_STREAMS_MGT
Privilege to use restricted STREAMS calls and operations.
CAP_SWAP_MGT
Privilege to use the swapctl(2) system call.
CAP_SYSINFO_MGT
Privilege to set system information (for example, hostname values,
NVRAM values, etc.).
CAP_SVIPC_MGT
Not supported, silently ignored.
CAP_TIME_MGT
Privilege to set the system time.
CAP_XTCB
Identifies a trusted client to the X server (that is trusted patth).
A process has three, possibly empty, sets of capabilities. The permitted
capability set is the maximum set of capabilities for the process. The
effective capability set contains those capabilities that are currently
active for the process. The inherited capability set contains those
capabilities that the process may pass to the next process image across
exec(2). A process with capabilities should NOT exec other processes
without careful consideration of what capabilities will be inherited.
They can set the CAP_FLAG_PURE_RECALC flag to ensure the child process do
not inherit any capabilities before an exec is done. See
cap_set_proc(3C).
Only capabilities in a process' effective capability set allow the
process to perform restricted operations. A process may use capability
management functions to add or remove capabilities from its effective
capability set. However the capabilities that a process can make
effective are limited to those that exist in its permitted capability
set.
Page 4
capabilities(4)capabilities(4)
Only capabilities in the process' inherited capability set can be passed
across exec(2).
Capabilities are also associated with files. There may or may not be a
capability set associated with a specific file. If a file has no
capability set, execution of this file through an exec(2) will leave the
process' capability set unchanged. If a file has a capability set,
execution of file will affect the process' capability set in the
following way: a file's inherited capability set further constrains the
process inherited capabilities that are passed from one process image to
another. The file's permitted capability set contains the capabilities
that are unconditionally permitted to a process upon execution of that
file. The file's effective capabilities are the capabilities that become
immediately active for the process upon execution of the file.
More precisely described, the process capability assignment algorithm is:
I-proc-new = I-proc-old & I-file
P-proc-new = P-file | (I-proc-new & P-proc-old)
E-proc-new = P-proc-new & E-file
If the process possesses capabilities after undergoing the capability
assignment algorithm, the SPRPROTECT flag is set unless the capability
set of the caller is exactly the same as that of the file. The SPRPROTECT
flag signifies that access to the process is protected, disallowing the
process to be traced unless the caller possesses the CAP_PROC_MGT
capability. See also par(1).
File capabilities are supported only on XFS filesystems.
At the interface to the library routines, the capability sets are
represented in a struct cap_set which is defined in <sys/capability.h>.
typedef __uint64_t cap_value_t;
struct cap_set {
cap_value_t cap_effective; /* use in capability checks */
cap_value_t cap_permitted; /* combined with file attrs */
cap_value_t cap_inheritable;/* pass through exec */
};
typedef struct cap_set cap_set_t;
typedef struct cap_set * cap_t;
Macros in <sys/capability.h> may be used to query, set or examine the
capability sets.
Page 5
capabilities(4)capabilities(4)EXTERNAL REPRESENTATION
The routines cap_from_text(3c) and cap_to_text(3c) do the conversion
between the internal structures and the external text form of
capabilities. The output of cap_to_text may be used in cap_from_text to
recreate the original capability sets.
The text representation of capability sets is a string, which consists of
one or more capability lists. Each capability list has the form:
capname[,capname]OF
where capname is a defined capability name (described above). The name
ALL indicates all capabilities.
F is a sequence of one or more flags chosen from "e", "i", "p" indicating
which capability sets are to be affected. "e" indicates the effective
capability set, "p" indicates the permitted capability set, and "i"
indicates the inherited capability set.
O is the operation chosen from "=", "+", "-", indicating to initialize,
add, or delete the specified capabilities in the affected capability
sets.
The capability lists are interpreted sequentially.
All characters from the symbol "#" to the end of the line are interpreted
as comments and are ignored.
SEE ALSOchcap(1), cap_from_text(3C), cap_get_proc(3C), cap_set_proc(3C),
cap_to_text(3C), capability(4), dominance(5).
Page 6
