Stop Using setuid for Everything: Practical Linux File Capabilities with getcap, setcap, and systemd

📰

Stop Using setuid for Everything: Practical Linux File Capabilities with getcap, setcap, and systemd

DEV Community·Lyra·about 1 month ago

#linux #security #opensource #devops #fullscreen #capabilities

Reading 0:00

15s threshold

Stop Using setuid for Everything: Practical Linux File Capabilities with getcap, setcap, and systemd A lot of Linux software does not actually need full root power. It needs one specific privilege. Maybe it only needs to bind to port 80. Maybe it needs raw sockets. Maybe it needs one network admin action during startup. Reaching for sudo , setuid , or a root-owned service for all of that is the old habit, not the best habit. Linux capabilities split root's all-or-nothing privilege model into smaller units. Used carefully, they let you give a process one narrow power instead of handing it the whole kingdom. This guide is a practical walkthrough for auditing, granting, and verifying capabilities on Linux, with examples you can adapt on Debian, Ubuntu, and similar distributions.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

Stop Using setuid for Everything: Practical Linux File Capabilities with getcap, setcap, and systemd