Capability Names and Descriptions

Here is a list of all the capabilities supported by LIDS and what their function is.

CAP_CHOWN

In a system with the _POSIX_CHOWN_RESTRICTED option defined, this overrides the restriction of changing file ownership and group ownership.

CAP_DAC_OVERRIDE

Override all DAC access, including ACL execute access if _POSIX_A
CL is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE.

CAP_DAC_READ_SEARCH

Overrides all DAC restrictions regarding read and search on files and directories, including ACL restrictions if _POSIX_ACL is defined. Excluding DAC access covered by
CAP_LINUX_IMMUTABLE.

CAP_FOWNER

Overrides all restrictions concerning allowed operations on files, where the file owner ID must be equal to the user ID, except where CAP_FSE 
TID is applicable. It doesn't override MAC and DAC restrictions.

CAP_FSETID

Overrides the following restrictions that the effective user ID shall match the file owner ID when setting the S_ISUID and S_ISGID bits on that file; that the effective group ID (or one of the supplementary group IDs) shall match the file owner ID when setting the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are cleared on successful return from chown(2) (not implemented).

CAP_KILL

Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.

CAP_SETGID

 

• Allows setgid(2) manipulation
• Allows setgroups(2)
• Allows forged gids on socket credentials passing.

CAP_SETUID

 

• Allows set*uid(2) manipulation (including fsuid).
• Allows forged pids on socket credentials passing.

CATP_SETPCAP

Transfer any capability in your permitted set to any pid, remove any capability in

your

permitted set from any pid.

CAP_LINUX_IMMUTABLE

Allow modification of S_IMMUTABLE and
S_APPEND file attributes.

CAP_NET_BIND_SERVICE

Allows binding to TCP/UDP sockets below 1024.

CAP_NET_BROADCAST

Allow read/write of device-specific registers

CAP_NET_ADMIN

 

• Allow broadcasting, listen to multicast.
• Allow interface configuration
• Allow administration of IP firewall, masquerading and accounting
• Allow setting debug option on sockets
• Allow modification of routing tables
• Allow setting arbitrary process / process group ownership on sockets
• Allow binding to any address for transparent proxying
• Allow setting TOS (type of service)
• Allow setting promiscuous mode
• Allow clearing driver statistics
• Allow multicasting

CAP_NET_RAW

 

• Allow use of RAW sockets
• Allow use of PACKET sockets

CAP_IPC_LOCK

 

• Allow locking of shared memory segments
• Allow mlock and mlockall (which doesn't really have anything to do with IPC).

CAP_IPC_OWNER

Override IPC ownership checks.

CAP_SYS_MODULE

Insert and remove kernel modules.

CAP_SYS_RAWIO

 

• Allow ioperm/iopl and /dev/port access
• Allow /dev/mem and /dev/kmem access
• Allow raw block devices (/dev/[sh]d??) access

CAP_SYS_CHROOT

Allow use of chroot()

CAP_SYS_PTRACE

Allow ptrace() of any process

CAP_SYS_PACCT

Allow configuration of process accounting

CAP_SYS_ADMIN

 

• Allow configuration of the secure attention key
• Allow administration of the random device
• Allow device administration (mknod)
• Allow examination and configuration of disk quotas
• Allow configuring the kernel's syslog (printk behavior domain name)
• Allow setting the domain name
• Allow setting the host name
• Allow calling bdflush()
• Allow mount() and umount(), setting up new smb connection
• Allow some autofs root ioctls
• Allow nfsservctl Allow VM86_REQUEST_IRQ
• Allow to read/write pci config on alpha
• Allow irix_prctl on mips (setstacksize)
• Allow flushing all cache on m68k (sys_cacheflush)
• Allow removing semaphores
• Used instead of CAP_CHOWN to chown IPC message queues, semaphores and share memory
• Allow locking/unlocking of shared memory segment
• Allow turning swap on/off Allow forged pids on socket credentials passing
• Allow setting read-ahead and flushing buffers on block devices
• Allow setting geometry in floppy driver
• Allow turning DMA on/off in xd driver
• Allow administration of md devices (mostly the above, but some extra ioctls)
• Allow tuning the ide driver Allow access to the nvram device
• Allow administration of apm_bios, serial and bttv (TV) device
• Allow manufacturer commands in isdn CAPI support driver
• Allow reading non-standardized portions of pci configuration space
• Allow DDI debug ioctl on sbpcd driver
• Allow setting up serial ports
• Allow sending raw qic-117 commands
• Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands
• Allow setting encryption key on loopback file system

CAP_SYS_BOOT

Allow use of reboot()

CAP_SYS_NICE

 

• Allow raising priority and setting priority on other (different UID) processes
• Allow use of FIFO and round-robin (realtime) scheduling on own processes and setting the scheduling algorithm used by another process.

CAP_SYS_RESOURCE

 

• Override resource limits. Set resource limits.
• Override quota limits.
• Override reserved space on ext2/ext3 file system
• NOTE: ext2/ext3 honors fsuid when checking for resource overrides, so you can override using fsuid too
• Override size restrictions on IPC message queues
• Allow more than 64hz interrupts from the real-time clock
• Override max number of consoles on console allocation
• Override max number of keymaps

CAP_SYS_TIME

 

• Allow manipulation of system clock
• Allow irix_stime on mips
• Allow setting the real-time clock

CAP_SYS_TTY_CONFIG

 

• Allow configuration of tty devices
• Allow vhangup() of tty