File capabilities allow users to execute programs with higher privileges. Best example is network utility ping.

A ping binary has capabilities CAP_NET_ADMIN and CAP_NET_RAW. A normal user doesn’t have CAP_NET_ADMIN privilege, since the executable file ping has that capability you can run it.

$ getcap `which ping`
/usr/bin/ping = cap_net_admin,cap_net_raw+p

Which normally works as follows:

$ ping -c 1
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=55 time=36.9 ms

--- ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 36.885/36.885/36.885/0.000 ms

If you copy file as a normal user the binary loses its privilege and the command ceases to work:

$ cp `which ping` /tmp/ping

$ /tmp/ping -c 1
ping: socket: Operation not permitted


Linux Capabilities: making them work