You don’t need to be root user or user added to sudoers to access only limited root user functionality for a small operation.We have the linux capabilities that aid in doing things that requires root permission.
Capability can be used to improve the security by
• Running a service/daemon with uid=0 but with the minimum superuser privileges
• Configure files so they can be accessed only by an admin or a process with the right privileges, and cannot be accessed by anyone else even unprivileged root.
Just because we have capabilities means that the system is secure ?
There are a lot of ways to exploit capabilities since they are complex to use so should be handled with utmost care else we create a backdoor in the name of security 😉.This can be referred in this beautiful pdf .
Here I will be discussing the process capability going further
Each Linux process has four sets of bitmaps called the effective (E), permitted (P), inheritable (I), and bset capabilities. Each capability is implemented as a bit in each of these bitmaps, which is either set or unset.
The effective capability set tells what capabilities are effective ,permitted capability set tells what capabilities a process can use and inheritable capability set tells what capabilities of the current process should be inherited by the program which would be forked .
You can refer to the program to see the capabilities in action
https://man7.org/tlpi/code/online/book/cap/check_password_caps.c.html
References:
fork&exec 