CAP_SYS_ADMIN

Jan 1, 0001

Definition

CAP_SYS_ADMIN is a Linux capability that grants a wide range of administrative privileges, often considered the most powerful and broad capability. It allows processes to perform various system-level operations, such as mounting filesystems, configuring network interfaces, and managing kernel modules. Due to its extensive permissions, it should be granted sparingly and only to trusted processes or users to minimize security risks.

Secure Settings Example

# Kubernetes PodSecurityContext example to restrict CAP_SYS_ADMIN
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
  - name: secure-container
    image: example-image
    securityContext:
      capabilities:
        drop:
        - SYS_ADMIN

Insecure Settings Example

# Kubernetes PodSecurityContext example granting CAP_SYS_ADMIN
apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
  - name: insecure-container
    image: example-image
    securityContext:
      capabilities:
        add:
        - SYS_ADMIN

CAP_SYS_ADMIN

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter