How to use Linux capabilities instead of root

Question

QA Hub Editorial · Accepted Answer

Short answer Linux capabilities divide root privileges into fine-grained units that can be assigned to specific programs. Steps View capabilities: getcap /usr/bin/ping Add a capability: sudo setcap cap_net_raw+ep /usr/bin/ping Remove a capability: sudo setcap -r /usr/bin/ping List all capabilities in /proc/PID/status. Tips Capabilities reduce attack surface compared to setuid root binaries. +ep means effective and permitted sets. Containers use capability dropping to restrict processes. Common issues Capabilities are lost when files are moved across filesystems. Not all operations can be mapped to capabilities; some still need root.