Linux Capabilities
Linux capabilities allow fine-grained control over privileged operations without granting full root access, complementing AppArmor and seccomp.
You cannot change system time even though you are not using AppArmor or seccomp. There is something called “linux capabilities” to make granular permissions for executing “privileged actions”.
The getcap command displays the capabilities assigned to a binary. You can use it to inspect which specific privileges a process or executable has been granted, such as the ability to bind to low-numbered ports or send raw packets.
1
2
3
4
getcap /usr/bin/ping
ps -ef | grep sshd
getcap <process-id-of-sshd>
This post is licensed under CC BY 4.0 by the author.