Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.org
cheatsheet-linux-capabilities-A4.pdf

README.org

1 CheatSheet: linux-capabilities

linkedin
github
slack


PRs Welcome

File me Issues or star this repo.

1.1 Linux Capabilities - Frequent

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as linux capabilities.

NameComment
CAP_CHOWNMake arbitrary changes to file UIDs and GIDs
CAP_NET_RAWuse RAW and PACKET sockets; bind to any address for transparent proxying
CAP_SYS_CHROOTUse chroot
CAP_SETUIDMake arbitrary manipulations of process UIDs
CAP_SETGIDMake arbitrary manipulations of process GIDs and supplementary GID list
CAP_DAC_OVERRIDEBypass file read, write, and execute permission checks
CAP_MKNODCreate special files using mknod
CAP_NET_BIND_SERVICEBind a socket to Internet domain privileged ports (port numbers less than 1024).
CAP_NET_RAWUse RAW and PACKET sockets; bind to any address for transparent proxying.
CAP_SETFCAPSet file capabilities.
Referencelink: ubuntu linux capabilities help usage

1.2 Linux Capabilities - UID/GID

NameComment
CAP_SETUIDMake arbitrary manipulations of process UIDs
CAP_SETGIDMake arbitrary manipulations of process GIDs and supplementary GID list

1.3 Linux Capabilities - File

NameComment
CAP_CHOWNMake arbitrary changes to file UIDs and GIDs
CAP_MKNODCreate special files using mknod
CAP_DAC_OVERRIDEBypass file read, write, and execute permission checks
Cap_dac_read_searchBypass file read permission checks and directory read and execute permission checks
CAP_LEASEEstablish leases on arbitrary files
CAP_SETFCAPSet file capabilities.
CAP_KILLBypass permission checks for sending signals

1.4 Linux Capabilities - Network

NameComment
CAP_MAC_OVERRIDEAllow MAC configuration or state changes
CAP_NET_BIND_SERVICEBind a socket to Internet domain privileged ports (port numbers less than 1024).
CAP_NET_BROADCAST(Unused) Make socket broadcasts, and listen to multicasts.
CAP_NET_RAWUse RAW and PACKET sockets; bind to any address for transparent proxying.

1.5 Linux Capabilities - Process

NameComment
CAP_KILLBypass permission checks for sending signals
CAP_SYS_NICE
CAP_SYS_CHROOTUse chroot
CAP_SYS_BOOTUse reboot and kexec_load
CAP_WAKE_ALARMTrigger something that will wake up the system (set CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).

1.6 Linux Capabilities - Adhoc

NameComment
CAP_AUDIT_CONTROLEnable and disable kernel auditing; change auditing filter rules; retrieve auditing status and rules.
CAP_AUDIT_WRITEWrite records to kernel auditing log.
CAP_BLOCK_SUSPENDEmploy features that can block system suspend
CAP_FOWNER
CAP_FSETID
CAP_IPC_LOCKLock memory
CAP_IPC_OWNERBypass permission checks for operations on System V IPC objects.
CAP_LINUX_IMMUTABLESet the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags (see chattr(1))
CAP_MAC_ADMINOverride Mandatory Access Control (MAC)
CAP_NET_ADMIN
CAP_SETPCAP
CAP_SYS_ADMIN
CAP_SYS_MODULELoad and unload kernel modules
CAP_SYS_PACCTUse acct
CAP_SYS_PTRACETrace arbitrary processes using ptrace; apply get_robust_list to arbitrary processes; inspect processes using kcmp
CAP_SYS_RAWIO
CAP_SYS_RESOURCE
CAP_SYS_TIMESet system clock (settimeofday, stime, adjtimex); set real-time (hardware) clock.
CAP_SYS_TTY_CONFIGUse vhangup; employ various privileged ioctl operations on virtual terminals.
CAP_SYSLOG

1.7 More Resources

License: Code is licenlinux-capabilities under MIT License.

http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html

You can’t perform that action at this time.