Previous page

Next page

Locate page in Contents

Print this page

Linux-Specific Capabilities

Name

Description

Default

setpcap

Transfer any capability in your permitted set to any process ID; remove any capability in your permitted set from any process ID.

off

linux_immutable

Allows the modification of the S_IMMUTABLE and S_APPEND file attributes. These attributes are implemented only for the EXT2FS and EXT3FS Linux file systems and, as such, this capability has no effect for Containers running on top of VZFS. However, if you bind mount a directory located on the EXT2FS or EXT3FS file system into a Container and revoke this capability, the root user inside the Container will not be able to delete or truncate files with these attributes on.

on

net_bind_service

Allows to bind to sockets with numbers below 1024.

on

net_broadcast

Allows network broadcasting and multicast access.

on

net_admin

Allows the administration of IP firewalls and accounting.

off

net_raw

Allows to use the RAW and PACKET sockets.

on

ipc_lock

Allows to lock shared memory segments and mlock/mlockall calls.

on

ipc_owner

Overrides IPC ownership checks.

on

sys_module

Insert and remove kernel modules. Be very careful with setting this capability on for a Container; if a user has the permission of inserting kernel modules, this user has essentially full control over the server.

off

sys_rawio

Allows to create VZFS symlinks over VZFS.

off

sys_chroot

Allows to use chroot() .

on

sys_ptrace

Allows to trace any process.

on

sys_pacct

Allows to configure process accounting.

on

sys_admin

In charge of many system administrator tasks such as swapping, administering APM BIOS, and so on. Shall be set to off for Containers.

off

sys_boot

This capability currently has no effect on the Container behaviour.

on

sys_nice

Allows to raise priority and to set priority for other processes.

on

sys_resource

Override resource limits (do not confuse with user beancounters).

on

sys_time

Allows to change the system time.

off

sys_tty_config

Allows the configuration of TTY devices.

on

mknod

Allows the privileged aspects of mknod() .

on

lease

Allows to take leases of files.

on

Top of page Feedback