What Is a Linux Capability?
A Linux capability is one of the distinct privileges that together make up the powers of the root user, such as the ability to bind low ports or change file ownership. Splitting root into capabilities lets a process be granted only the specific powers it needs. Capabilities can be added to or dropped from a process and its executables.
Why it matters
Dropping unneeded capabilities is a standard way to harden a CI container so a compromised job cannot do everything root could. It explains why some operations fail in a container even when running as root.
Related guides
What Is a Linux Namespace?A Linux namespace gives a group of processes their own isolated view of a system resource, such as process ID…
What Is a Seccomp Filter?A seccomp filter restricts which system calls a process may make, shrinking the kernel surface a sandboxed or…
What Is the Setuid Bit?The setuid bit makes an executable run with the privileges of its owner rather than the user launching it, of…