Frequently Asked Question

What are Linux capabilities and how do they relate to setuid?

Capabilities split the monolithic root privilege into about forty discrete powers, each named with a CAP_ prefix in capabilities(7). CAP_NET_BIND_SERVICE lets a process bind to TCP ports below 1024; CAP_NET_RAW lets it open raw sockets (what ping actually needs); CAP_SYS_TIME lets it set the system clock; CAP_DAC_OVERRIDE lets it bypass discretionary file permissions. A process holds capabilities in three sets, permitted, effective, and inheritable, and the kernel checks the relevant capability for every privileged operation instead of asking "are you root?".

File capabilities (setcap, getcap) attach a fixed capability set to an executable so it can perform exactly one privileged operation without full setuid-root powers. On modern distributions /bin/ping is no longer setuid; it has cap_net_raw+ep set, so it can create the raw socket it needs and nothing else. If an attacker compromises ping, they get raw-socket access, not root. Containers and systemd units use the same machinery via CapabilityBoundingSet= and AmbientCapabilities= to drop everything a service does not need.