Most of us might have heard about capabilities from POSIX world in general. They are normally associated with processes with the purpose of performing permission checks. Traditionally in UNIX processes are either run as privileged or unprivileged. Privileged process are those with superuser power which can bypass permission checks imposed by the kernel. These privileges can further be fine grained into distinct units, known as capabilities, which can then be independently enabled or disabled on a per-thread basis. Following are some among the many capabilities available on Linux:
- CAP_AUDIT_CONTROL
- CAP_CHECKPOINT_RESTORE
- CAP_CHOWN
- CAP_DAC_OVERRIDE
- CAP_FOWNER
- CAP_KILL
- CAP_LINUX_IMMUTABLE
You can find more details on all available capabilities from manual page for capabilities(7). But we rather focus on CAP_DAC_OVERRIDE.