Skip to Content
Navigation:

A stick figure smiling

Here's a preview from my zine, How Containers Work! If you want to see more comics like this, sign up for my saturday comics newsletter or browse more comics!

get the zine!
Image of a comic. To read the full HTML alt text, click "read the transcript". get the zine!
read the transcript!

### we think of root as being all-powerful… The following items are in spiky bubbles:

  • edit any file
  • change network config
  • spy on any program’s memory

… but actually to do “root” things, a process needs the right ★capabilities★

Process, represented by a box with a smiley face: I want to modify the route table!
Linux, represented by a penguin: you need CAP_NET_ADMIN!

there are dozens of capabilities

Illustration of a smiling stick figure with curly hair.

Person: $ man capabilities explains all of them but let’s go over 2 important ones!

CAP_SYS_ADMIN

lets you do a LOT of things. avoid giving this if you can!

CAP_NET_ADMIN

allow changing network settings

by default containers have limited capabilities

Process: can I call process_vm_ready? Linux: nope! you’d need CAP_SYS_PTRACE for that!

$ getpcaps PID

print capabilities that PID has

getcap / setcap

system calls: get and set capabilities!