Here's a preview from my zine, How Containers Work!! If you want to see more comics like this, sign up for my saturday comics newsletter or browse more comics!
read the transcript!
### we think of root as being all-powerful… The following items are in spiky bubbles: - edit any file - change network config - spy on any program’s memory
… but actually to do “root” things, a process needs the right ★capabilities★
Process, represented by a box with a smiley face: I want to modify the route table!
Linux, represented by a penguin: you need CAP_NET_ADMIN!
there are dozens of capabilities
Illustration of a smiling stick figure with curly hair.
Person: $ man capabilities explains all of them but let’s go over 2 important ones!
CAP_SYS_ADMIN
lets you do a LOT of things. avoid giving this if you can!
CAP_NET_ADMIN
allow changing network settings
by default containers have limited capabilities
Process: can I call process_vm_ready? Linux: nope! you’d need CAP_SYS_PTRACE for that!
$ getpcaps PID
print capabilities that PID has
getcap / setcap
system calls: get and set capabilities!
Saturday Morning Comics!
Want another comic like this in your email every Saturday? Sign up here!
