cap_launcher_set_mode - Linux
Overview
cap_launcher_set_mode grants or removes capabilities from a launched process. It is useful for granting only the necessary permissions to processes, enhancing system security.
Syntax
cap_launcher_set_mode [options] <operation> <mode> <exe> [arguments]
Options/Flags
- -c, –capability: Specify the capability to grant or remove.
- -f, –force: Force the operation even if it may be unsafe.
- -h, –help: Display help and usage information.
- -v, –verbose: Enable verbose output.
Operations
- grant: Grants the specified capability to the launched process.
- revoke: Removes the specified capability from the launched process.
Modes
- inherit: Process inherits capabilities from its parent.
- ambient: Process has ambient capabilities, which are a subset of its parent’s effective capabilities.
- drop: Process has no capabilities.
Examples
Granting a process the CAP_NET_ADMIN capability:
cap_launcher_set_mode grant CAP_NET_ADMIN sudo iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
Revoking the CAP_SETUID capability:
cap_launcher_set_mode revoke CAP_SETUID chown -R user:users /data
Common Issues
- Permission denied: Ensure that the user running the command has sufficient privileges to grant or revoke capabilities.
- Invalid capability: Verify that the specified capability is valid and can be granted or revoked.
Integration
Integration with sudo:
Grant capabilities to processes launched with sudo:
sudo cap_launcher_set_mode grant CAP_SYS_ADMIN /bin/bash
Related Commands
- capabilities: Display the capabilities of a process.
- getcap: Get the capabilities of a file or process.
- setcap: Set the capabilities of a file or process.