5 lines
628 B
Plaintext
5 lines
628 B
Plaintext
Setting capabilities can lead to privilege escalation and container escapes.
|
|
|
|
Linux capabilities allow you to assign narrow slices of ``++root++``'s permissions to processes. A thread with capabilities bypasses the normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring additional root privileges.
|
|
|
|
In a container, capabilities might allow to access resources from the host system which can result in container escapes. For example, with the capability ``++SYS_ADMIN++`` an attacker might be able to mount devices from the host system inside of the container. |