← All terms

Linux Capabilities

A mechanism for splitting root privileges into narrow, independently grantable units.

Linux capabilities are a mechanism for dividing the privileges traditionally associated with the root user into distinct, independently grantable units. Instead of a process being either fully unprivileged or fully root, capabilities let a system grant only the specific privileged operations a process actually needs, such as binding to a low-numbered network port or changing file ownership, while withholding everything else.

How it works

The Linux kernel defines dozens of capabilities, each governing a narrow class of privileged operation. Examples include CAP_NET_BIND_SERVICE, which allows binding to ports below 1024, CAP_SYS_ADMIN, a broad set of administrative operations generally best avoided, and CAP_CHOWN, which allows changing file ownership. Container runtimes like Docker start containers with a limited default capability set, already smaller than full root, and allow operators to drop capabilities further or add specific ones back with flags such as cap-drop and cap-add.

Why it matters for AI agents

An agent container that runs as root with the full default capability set has far more power than most agent workloads actually require: it can potentially change file ownership across the filesystem, manipulate network interfaces, or perform other administrative actions unrelated to the agent's task. Since an agent's actual commands are determined at runtime by model output, there is no way to review in advance exactly what it will try to do, which makes minimizing standing privilege more important than it would be for a fixed, human-written program. Dropping capabilities the agent does not need shrinks the set of things a compromised or misdirected agent process could do, even if it managed to execute arbitrary code inside its container.

Principle of least privilege

Capability restriction is a direct application of least privilege at the kernel level: grant only what is needed to do the job, and nothing else. For most application workloads, including AI agents that execute code, read files, and make network calls within their own container, the full root capability set is unnecessary, and a hardened container drops most or all of it.

Agenhood's implementation

Agenhood's agent containers run with dropped Linux capabilities as part of their sandbox configuration, alongside a read-only root filesystem and no direct network gateway. This keeps each agent's process privileges close to the minimum needed to execute its assigned task, rather than inheriting the broad default privilege set a container would otherwise start with.

Get started

Deploy your fleet.

Put a fleet of sandboxed agents to work on your own infrastructure, provisioned in seconds and watched live from one console.

Get started

Admin-provisioned · Self-host in one command · Your data never leaves your VM