Here's a preview from my zine, How Containers Work! If you want to see more comics like this, sign up for my saturday comics newsletter or browse more comics!
get the zine!
read the transcript!
### we think of root as being all-powerful… The following items are in spiky bubbles:
- edit any file
- change network config
- spy on any program’s memory
… but actually to do “root” things, a process needs the right ★capabilities★
Process, represented by a box with a smiley face: I want to modify the route table!
Linux, represented by a penguin: you need CAP_NET_ADMIN!
there are dozens of capabilities
Illustration of a smiling stick figure with curly hair.
Person: $ man capabilities explains all of them but let’s go over 2 important ones!
CAP_SYS_ADMIN
lets you do a LOT of things. avoid giving this if you can!
CAP_NET_ADMIN
allow changing network settings
by default containers have limited capabilities
Process: can I call process_vm_ready? Linux: nope! you’d need CAP_SYS_PTRACE for that!
$ getpcaps PID
print capabilities that PID has
getcap / setcap
system calls: get and set capabilities!