An example of setting and getting a Linux capabilityIf you run across a command than reports an error suggesting a missing capability like NET_ADMIN, then you may want to use capabilities to allow non-root user to execute special commands such as iotop:
[kwright@ryzen5 cvs]$ iotop
Netlink error: Operation not permitted (1)
The Linux kernel interfaces that iotop relies on now require root priviliges
or the NET_ADMIN capability. This change occured because a security issue
(CVE-2011-2494) was found that allows leakage of sensitive data across user
boundaries. If you require the ability to run iotop as a non-root user, please
configure sudo to allow you to run iotop as root.
Please do not file bugs on iotop about this.
[kwright@ryzen5 cvs]$ setcap
usage: setcap [-q] [-v] (-r|-|
SETCAP(8) System Manager's Manual SETCAP(8)
setcap - set file capabilities
setcap [-q] [-v] (capabilities|-|-r) filename [ ... capabilitiesN fileN ]
In the absence of the -v (verify) option setcap sets the capabilities of each specified
filename to the capabilities specified. The -v option is used to verify that the specified
capabilities are currently associated with the file.
The capabilities are specified in the form described in cap_from_text(3).
The special capability string, '-', can be used to indicate that capabilities are read from
the standard input. In such cases, the capability set is terminated with a blank line.
The special capability string, '-r', is used to remove a capability set from a file.
The -q flag is used to make the program less verbose in its output.
The setcap program will exit with a 0 exit code if successful. On failure, the exit code is
cap_from_text(3), cap_set_file(3), getcap(8),capabilities(7)
[kwright@ryzen5 cvs]$ sudo setcap cap_net_admin+eip /usr/sbin/iotop
[kwright@ryzen5 cvs]$ echo $?
[kwright@ryzen5 cvs]$ getcap /usr/sbin/iotop
/usr/sbin/iotop = cap_net_admin+eip