# Drop Root Capabilities
[](https://docs.rust-embedded.org/book/intro/no-std.html)
[](https://crates.io/crates/drop-root-caps)
[](https://crates.io/crates/drop-root-caps)
[](https://opensource.org/license/0BSD)
A simple crate to drop "root" user capabilities on Linux.
On Linux, the "root" user (UID 0) has some special capabilities that "regular" users do **not** normally have. This can result in weird behavior, e.g., if unit tests (or integration tests) are executed in the context of the "root" user, as Docker® containers do by default! For example, a file that **should not** be accessible (according to its access permissions) may suddenly become accessible – because the "root" user has the `CAP_DAC_OVERRIDE` capability, which allows the "root" user to access the file *regardless of the access permissions*. As a result, a test case that expects `File::open()` to return a "permission denied" error (and rightfully so!) will suddenly start to fail 😨
This crate uses the Linux syscall [`prctl()`](https://man7.org/linux/man-pages/man2/prctl.2.html) with argument [`PR_CAPBSET_DROP`](https://man7.org/linux/man-pages/man2/PR_CAPBSET_DROP.2const.html) to drop the "root"-specific capabilities at application startup and thus restores the expected behavior. It does *nothing* on other platforms.
## Usage
Add the following to your **`Cargo.toml`** file:
```
[dev-dependencies]
drop-root-caps = "1.1.2"
```
You probably do **not** want to add this crate to your `[dependencies]`, *only* to the `[dev-dependencies]` 💡
Also, you **must** add the following code to your test module(s), because otherwise the Rust compiler optimizes away the `drop-root-caps` dependency 😬
```
#[used]
static DROP_ROOT_CAPS: () = drop_root_caps::set_up();
```
## License
This software is released under the BSD Zero Clause (“0BSD”) License.
Copyright (C) 2025 by LoRd_MuldeR <mulder2@gmx.de>.