11.2.2 Linux Capabilities
A focused guide to Linux Capabilities, connecting core concepts with practical Docker and container operations.
Linux capabilities are individual, fine-grained units of privilege the Linux kernel uses to subdivide what was traditionally an all-or-nothing root privilege into separate, independently grantable pieces, allowing a container to be given exactly the specific privileged operations it actually needs rather than full root access.
Why Capabilities Exist as a Finer-Grained Alternative to Root
Traditionally, an operation either required full root privileges or none at all — capabilities break this all-or-nothing model into many distinct, independently controllable privileges.
docker run --cap-add=NET_BIND_SERVICE myapp:1.0
This grants specifically the capability needed to bind to a privileged port, without granting the broader root access that capability was traditionally bundled with.
Common Capabilities Relevant to Containers
Certain capabilities are more commonly relevant to typical containerized applications than others.
NET_BIND_SERVICE - bind to privileged ports
CHOWN - change file ownership
SETUID, SETGID - change process user/group identity
An application needing to bind to a privileged port specifically needs NET_BIND_SERVICE, without needing any of the many other capabilities also traditionally bundled under full root access.
Inspecting a Container's Currently Granted Capabilities
Confirming exactly which capabilities a running container actually has helps validate that capability configuration matches what was intended.
docker exec myapp cat /proc/1/status | grep Cap
Why Capabilities Support More Precise Privilege Control Than All-or-Nothing Root
Granting just the specific capability an application genuinely needs, rather than full root access (or relying on a workaround like running as non-root but then needing a privileged port), provides considerably more precise control over a container's actual privilege footprint.
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp:1.0
Why Linux Capabilities Matter
Understanding and deliberately controlling a container's granted capabilities, rather than relying on Docker's broader default set or full root access, is an important, precise tool for minimizing a container's actual privilege footprint to exactly what its application genuinely requires.