Linux capabilities divide the monolithic power of root into roughly forty independent privileges that can be granted to individual processes or binaries. This enables the principle of least privilege: instead of making ping setuid-root (and thus able to do anything), you grant it only CAP_NET_RAW to send raw ICMP packets, and the rest of root's power remains off limits.
Common capabilities include CAP_NET_BIND_SERVICE (bind to ports below 1024), CAP_NET_ADMIN (configure networking), CAP_SYS_ADMIN (various kernel operations—arguably too broad), CAP_DAC_OVERRIDE (bypass file permission checks), and CAP_SYS_PTRACE (debug other processes).
Commands:
getcap /usr/bin/ping # show capabilities on a file
sudo setcap cap_net_raw+ep myping # grant one capability
sudo setcap -r myping # clear all
Systemd units expose capabilities through CapabilityBoundingSet=, AmbientCapabilities=, and NoNewPrivileges=, letting services run as non-root but still perform the small handful of privileged operations they need. Docker and Kubernetes use them similarly to restrict containers. Capabilities are central to modern Linux security design and replace many historical setuid binaries.
Discussed in:
- Chapter 9: Users, Groups, and Permissions — Special Bits: setuid, setgid, and sticky
Also defined in: Textbook of Linux