cap_drop_bound - Linux
Overview
cap_drop_bound allows the bounding of capabilities for child processes. Typically used after a setuid/setgid program has gained extra privileges, it helps restrict the capabilities that can be inherited by any child processes.
Syntax
cap_drop_bound <name | numeric>
<name | numeric>
: Name or numeric value of the capability to be bounded.- To specify multiple capabilities, separate the names with commas.
- The numeric value should always be prefixed with
CAP_
.
Options/Flags
None.
Examples
- Bound all capabilities to the current bounds:
cap_drop_bound all
- Bound a specific capability by name:
cap_drop_bound CAP_SYS_ADMIN
- Bound multiple capabilities by numeric value:
cap_drop_bound CAP_SYS_ADMIN,CAP_SYS_BOOT
Common Issues
- Ensure you have root privileges before running the command as it operates on the capabilities of the current process.
- Specify the correct capability name or numeric value.
Integration
Combine cap_drop_bound with capset
to control the capabilities of a process. For example:
# Drop the SYS_ADMIN capability of the current process
cap_drop_bound CAP_SYS_ADMIN
# Set the effective capabilities of a new child process
capset -e +ep
Related Commands
- capset – Set or get capabilities of a process or file.
- getcap – Get capabilities of a file.
- setcap – Set capabilities of a file.