Capabilities are a Linux kernel feature that divides the traditional superuser privileges into distinct, independently enableable units. A process with a specific capability bypasses the corresponding permission check without needing full root privileges.
Purpose
Reducing setuid binaries
Capabilities reduce the need for setuid binaries. For example, the ping utility was historically deployed as setuid, but in most modern distributions it is a normal binary with only the CAP_NET_RAW capability.
system administration operations such as mount, umount, sethostname, unshare
CAP_NET_ADMIN
network administration: interface and firewall configuration, routing tables
CAP_NET_BIND_SERVICE
bind to privileged ports below 1024
CAP_SYS_CHROOT
use chroot
CAP_SYS_PTRACE
trace arbitrary programs with ptrace
CAP_SYS_TIME
set system and hardware clock
CAP_NET_RAW
use raw and packet sockets
Containers
Docker default
Docker uses capabilities to limit the root user inside containers instead of relying on user namespaces. By default, containers do not receive CAP_SYS_PTRACE, which is why gdb does not work inside an unprivileged container.
Privileged mode
A privileged Docker container runs as root with all capabilities enabled. This is generally not recommended because it removes the security benefits of capability restrictions.