cap_drop_bound - Linux

Overview

cap_drop_bound allows the bounding of capabilities for child processes. Typically used after a setuid/setgid program has gained extra privileges, it helps restrict the capabilities that can be inherited by any child processes.

Syntax

cap_drop_bound <name | numeric>

• <name | numeric>: Name or numeric value of the capability to be bounded.
  • To specify multiple capabilities, separate the names with commas.
  • The numeric value should always be prefixed with CAP_.

Options/Flags

None.

Examples

• Bound all capabilities to the current bounds:

cap_drop_bound all

• Bound a specific capability by name:

cap_drop_bound CAP_SYS_ADMIN

• Bound multiple capabilities by numeric value:

cap_drop_bound CAP_SYS_ADMIN,CAP_SYS_BOOT

Common Issues

• Ensure you have root privileges before running the command as it operates on the capabilities of the current process.
• Specify the correct capability name or numeric value.

Integration

Combine cap_drop_bound with capset to control the capabilities of a process. For example:

# Drop the SYS_ADMIN capability of the current process
cap_drop_bound CAP_SYS_ADMIN

# Set the effective capabilities of a new child process
capset -e +ep

Related Commands

• capset – Set or get capabilities of a process or file.
• getcap – Get capabilities of a file.
• setcap – Set capabilities of a file.