Which Linux capability do I need in order to write to /proc/sys/vm/drop_caches?
The proc
filesystem doesn't support capabilities, ACL, or even changing basic permissions with chmod
. Unix permissions determine whether the calling process gets access. Thus only root can write that file. With user namespaces, that's the global root (the one in the original namespace); root in a container doesn't get to change sysctl settings.
As far as I know, the only solution to change a sysctl setting from inside a non-privileged namespace is to arrange a communication channel with the outside (e.g. a socket or pipe), and have the listening process run as root outside the container.
As an addendum to the accpted answer by Gilles:
I managed to achieve my goal of writing to /proc/sys/vm/drop_caches
(or to /proc
in general, to be precise) in a much easier way when working with docker:
docker run -ti --rm -v /proc:/writable_proc ubuntu:vivid bash
# echo 3 > /writable_proc/sys/vm/drop_caches
That does it for my purpose.
Thank you very much for your helpful answer!