External

• https://man7.org/linux/man-pages/man7/capabilities.7.html

Internal

• Linux Security
• Kubernetes Pod and Container Security

Overview

Traditional UNIX implementations distinguish two categories of processes for the purpose of performing permission checks: privileged processes and unprivileged processes. A privileged process is a process with its effective user ID is 0, referred to as superuser or root. An unprivileged process is a process with a non-zero its effective user ID. Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process' credentials: effective UID, effective GID and supplementary group list.

Linux (or kernel) capabilities