Grant specific kernel privileges to binaries so they can do one job without running as root. 16.11.2025 | reading time: 2 min Ever needed a service to bind to port 80 or open raw sockets but did not want a full-root daemon; setcap is the tool administrators use to give a single binary the exact capability it needs instead of granting blanket root access. Bind port 80 without root Tell: show the steps and results; do: check current caps with `getcap /usr/local/bin/myapp` which usually prints nothing; then run `sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/myapp`; validate with `getcap /usr/local/bin/myapp` which prints `/usr/local/bin/myapp = cap_net_bind_service+ep`; finally run the program as an unprivileged user and it can bind to port 80 without being uid 0. Practical caveats Capabilities live in extended attributes on the executable, so they require a filesystem with xattr support and are ignored for plain scripts; replacing or copying a file without preserving xattrs will drop the capabilities and rebuilding from source removes them, and remember that setting capabilities still requires administrator rights and can expose powerful abilities if misused. Other useful commands Use `getcap` to inspect file capabilities, `capsh --print` to view process capability sets and try toy changes, and `setpriv` or namespaces to run processes with reduced or altered capabilities for safer testing; these tools let the administrator verify and iterate without guessing. A compact checklist Ensure the target is a native binary, confirm the filesystem supports extended attributes, choose the minimal capability needed instead of root, verify with `getcap`, and treat capability grants as part of hardening and auditing policies. Final thought Capabilities are a powerful way to reduce attack surface by giving programs only what they need; explore these tools hands-on and consider advancing your skills toward certifications like CompTIA Linux+ or LPIC-1, with focused exam preparation available at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. security utilities processes setup
