Skip to Content
Navigation:

A stick figure smiling

Here's a preview from my zine, How Containers Work!! If you want to see more comics like this, sign up for my saturday comics newsletter or browse more comics!

Image of a comic. To read the full HTML alt text, click "read the transcript". get the zine!
read the transcript!

### we think of root as being all-powerful… The following items are in spiky bubbles:

  • edit any file
  • change network config
  • spy on any program’s memory

… but actually to do “root” things, a process needs the right ★capabilities★

Process, represented by a box with a smiley face: I want to modify the route table!
Linux, represented by a penguin: you need CAP_NET_ADMIN!

there are dozens of capabilities

Illustration of a smiling stick figure with curly hair.

Person: $ man capabilities explains all of them but let’s go over 2 important ones!

CAP_SYS_ADMIN

lets you do a LOT of things. avoid giving this if you can!

CAP_NET_ADMIN

allow changing network settings

by default containers have limited capabilities

Process: can I call process_vm_ready? Linux: nope! you’d need CAP_SYS_PTRACE for that!

$ getpcaps PID

print capabilities that PID has

getcap / setcap

system calls: get and set capabilities!