capabilities(4) capabilities(4) NAME capabilities - capability mechanism SYNOPSIS #include <sys/capability.h> DESCRIPTION The capability mechanism provides fine grained control over the privileges of a process. As a process attribute, a capability allows the process to perform a specific set of restricted operations, without granting general override of the system's protection scheme. A process can possess multiple capabilities. Collectively, all defined capabilities comprise the set of abilities that are traditionally associated with the root user. Defined capabilities are: CAP_ACCT_MGT Privilege to use accounting setup acct(2) system call and acctctl(3c) library call. CAP_AUDIT_CONTROL Privilege to manage the system audit trail (satread(2) and satwrite(2) system calls). CAP_AUDIT_WRITE Privilege to write to the system audit trail, satwrite(2) system call. CAP_CHOWN Privilege to change the owner of a file not owned by the process when the system is configured with _POSIX_CHOWN_RESTRICTED enabled. CAP_CHROOT Privilege to use the chroot(2) system call. CAP_DAC_EXECUTE Privilege to execute a file when the permissions or Access Control List prohibit it. CAP_DAC_READ_SEARCH Privilege to read a file or search a directory when the permissions or Access Control List prohibit it. CAP_DAC_WRITE Privilege to write a file or update a directory when the permissions or Access Control List prohibit it. CAP_DEVICE_MGT Privilege to issue restricted device management calls and ioctl actions. CAP_FOWNER Privilege to operate on a file as if the process owns it (for example, change permissions, ownership, access times, etc.). CAP_FSETID Privilege to set the setuid or setgid bits of a file without being the owner. Also, the privilege to change the owner of a setuid or setgid file. CAP_INF_DOWNGRADE Not supported, silently ignored. CAP_INF_NOFLOAT_OBJ Not supported, silently ignored. CAP_INF_NOFLOAT_SUBJ Not supported, silently ignored. CAP_INF_RELABEL_SUBJ Not supported, silently ignored. CAP_INF_UPGRADE Not supported, silently ignored. CAP_KILL Privilege to send a signal to a process that is not owned by the sender. Also, privilege to use process synchronization calls (procblk) to a process. CAP_LINK_DIR Not supported. CAP_MAC_DOWNGRADE Privilege to change the MAC label of an object to a value that is dominated by the previous label. (Only on systems with MAC enabled.) CAP_MAC_MLD Allows a process to change its own MAC label to a moldy label. A process with a moldy label can view the hidden directory structure of a multilevel directory. (Only on systems with MAC enabled.) CAP_MAC_READ Privilege to read information whose MAC label dominates that of the reader. (Only on systems with MAC enabled.) CAP_MAC_RELABEL_OPEN Privilege to change the MAC label of an open file. (Only on systems with MAC enabled.) CAP_MAC_RELABEL_SUBJ Allows a process to change its own MAC label. (Only on systems with MAC enabled.) CAP_MAC_UPGRADE Privilege to change the MAC label of an object to a value that dominates the previous label. (Only on systems with MAC enabled.) CAP_MAC_WRITE Privilege to write information whose MAC label does not equal that of the writer. (Only on systems with MAC enabled.) CAP_MEMORY_MGT Privilege to issue restricted memory management calls, primarily memory locking. CAP_MKNOD Alias for CAP_DEVICE_MGT. CAP_MOUNT_MGT Privilege to use the mount(2) and unmount(2) system calls. CAP_NETWORK_MGT Privilege to issue restricted networking calls (for example, setting the network interface MAC address, network interface device management, etc.). CAP_NVRAM_MGT Alias for CAP_SYSINFO_MGT. CAP_PRIV_PORT Privilege to open a socket on a privileged TCP port. CAP_PROC_MGT Privilege to issue restricted process management calls. CAP_QUOTA_MGT Privilege to issue restricted quota management calls. CAP_SCHED_MGT Privilege to issue restricted scheduler calls, such as the real time scheduler interfaces. CAP_SETFCAP Privilege to change the capability sets of a file. CAP_SETGID Allows a process to change its real GID, effective GID, saved GID, and process group ID. CAP_SETPCAP Allows a process to change its capability sets. CAP_SETUID Allows a process to change its real, effective and saved UIDs. CAP_SHUTDOWN Privilege to shutdown or reboot the system. This capability alone may be insufficient to perform the /etc/shutdown operation. CAP_SIGMASK Not supported, silently ignored. CAP_STREAMS_MGT Privilege to use restricted STREAMS calls and operations. CAP_SWAP_MGT Privilege to use the swapctl(2) system call. CAP_SYSINFO_MGT Privilege to set system information (for example, hostname values, NVRAM values, etc.). CAP_SVIPC_MGT Not supported, silently ignored. CAP_TIME_MGT Privilege to set the system time. CAP_XTCB Identifies a trusted client to the X server (that is trusted patth). A process has three, possibly empty, sets of capabilities. The permitted capability set is the maximum set of capabilities for the process. The effective capability set contains those capabilities that are currently active for the process. The inherited capability set contains those capabilities that the process may pass to the next process image across exec(2). A process with capabilities should NOT exec other processes without careful consideration of what capabilities will be inherited. They can set the CAP_FLAG_PURE_RECALC flag to ensure the child process do not inherit any capabilities before an exec is done. See cap_set_proc(3C). Only capabilities in a process' effective capability set allow the process to perform restricted operations. A process may use capability management functions to add or remove capabilities from its effective capability set. However the capabilities that a process can make effective are limited to those that exist in its permitted capability set. Only capabilities in the process' inherited capability set can be passed across exec(2). Capabilities are also associated with files. There may or may not be a capability set associated with a specific file. If a file has no capability set, execution of this file through an exec(2) will leave the process' capability set unchanged. If a file has a capability set, execution of file will affect the process' capability set in the following way: a file's inherited capability set further constrains the process inherited capabilities that are passed from one process image to another. The file's permitted capability set contains the capabilities that are unconditionally permitted to a process upon execution of that file. The file's effective capabilities are the capabilities that become immediately active for the process upon execution of the file. More precisely described, the process capability assignment algorithm is: I-proc-new = I-proc-old & I-file P-proc-new = P-file | (I-proc-new & P-proc-old) E-proc-new = P-proc-new & E-file If the process possesses capabilities after undergoing the capability assignment algorithm, the SPRPROTECT flag is set unless the capability set of the caller is exactly the same as that of the file. The SPRPROTECT flag signifies that access to the process is protected, disallowing the process to be traced unless the caller possesses the CAP_PROC_MGT capability. See also par(1). File capabilities are supported only on XFS filesystems. At the interface to the library routines, the capability sets are represented in a struct cap_set which is defined in <sys/capability.h>. typedef __uint64_t cap_value_t; struct cap_set { cap_value_t cap_effective; /* use in capability checks */ cap_value_t cap_permitted; /* combined with file attrs */ cap_value_t cap_inheritable;/* pass through exec */ }; typedef struct cap_set cap_set_t; typedef struct cap_set * cap_t; Macros in <sys/capability.h> may be used to query, set or examine the capability sets. EXTERNAL REPRESENTATION The routines cap_from_text(3c) and cap_to_text(3c) do the conversion between the internal structures and the external text form of capabilities. The output of cap_to_text may be used in cap_from_text to recreate the original capability sets. The text representation of capability sets is a string, which consists of one or more capability lists. Each capability list has the form: capname[,capname]OF where capname is a defined capability name (described above). The name ALL indicates all capabilities. F is a sequence of one or more flags chosen from "e", "i", "p" indicating which capability sets are to be affected. "e" indicates the effective capability set, "p" indicates the permitted capability set, and "i" indicates the inherited capability set. O is the operation chosen from "=", "+", "-", indicating to initialize, add, or delete the specified capabilities in the affected capability sets. The capability lists are interpreted sequentially. All characters from the symbol "#" to the end of the line are interpreted as comments and are ignored. SEE ALSO chcap(1), cap_from_text(3C), cap_get_proc(3C), cap_set_proc(3C), cap_to_text(3C), capability(4), dominance(5). Page 6