Removing capabilities to break down the power of a root user inside a container
In simple terms, with capabilities we can break down the power of a root user. Note the following from the main capabilities page:
For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is non-zero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).
Starting with kernel 2.2, Linux divides the privileges traditionally associated with superusers into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.
Some examples of capabilities are as follows:
CAP_SYSLOG
...