cap_launcher_set_mode - Linux

Overview

cap_launcher_set_mode grants or removes capabilities from a launched process. It is useful for granting only the necessary permissions to processes, enhancing system security.

Syntax

cap_launcher_set_mode [options] <operation> <mode> <exe> [arguments]

Options/Flags

• -c, –capability: Specify the capability to grant or remove.
• -f, –force: Force the operation even if it may be unsafe.
• -h, –help: Display help and usage information.
• -v, –verbose: Enable verbose output.

Operations

• grant: Grants the specified capability to the launched process.
• revoke: Removes the specified capability from the launched process.

Modes

• inherit: Process inherits capabilities from its parent.
• ambient: Process has ambient capabilities, which are a subset of its parent’s effective capabilities.
• drop: Process has no capabilities.

Examples

Granting a process the CAP_NET_ADMIN capability:

cap_launcher_set_mode grant CAP_NET_ADMIN sudo iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

Revoking the CAP_SETUID capability:

cap_launcher_set_mode revoke CAP_SETUID chown -R user:users /data

Common Issues

• Permission denied: Ensure that the user running the command has sufficient privileges to grant or revoke capabilities.
• Invalid capability: Verify that the specified capability is valid and can be granted or revoked.

Integration

Integration with sudo:

Grant capabilities to processes launched with sudo:

sudo cap_launcher_set_mode grant CAP_SYS_ADMIN /bin/bash

Related Commands

• capabilities: Display the capabilities of a process.
• getcap: Get the capabilities of a file or process.
• setcap: Set the capabilities of a file or process.