cap_launcher_setgroups - Linux

Overview

cap_launcher_setgroups modifies the group access list of a specified capability in a running target process. It provides a secure and straightforward method for adjusting the access rights of a process to specific capabilities. This command is particularly useful in enterprise environments where controlled delegation of capabilities is required.

Syntax

# cap_launcher_setgroups <capability> <pattern> [--] <group-list>

Options/Flags

• <capability>: The name of the capability to be modified.
• <pattern>: A comma-separated list of process IDs or executable paths.
• <group-list>: A comma-separated list of group names or GIDs.

Examples

Example 1: Granting the CAP_SETUID capability to the root group for the "su" process

# cap_launcher_setgroups CAP_SETUID "su" root

Example 2: Revoking the CAP_DAC_OVERRIDE capability from all processes with "/bin/sh" path

# cap_launcher_setgroups CAP_DAC_OVERRIDE "/bin/sh" --

Common Issues

• Permission Denied: Ensure that you have sufficient privileges to modify the capabilities of the target process.
• Invalid Capability: Verify that the specified capability is a valid capability.
• Invalid Group: Ensure that the provided group names or GIDs are valid.

Integration

cap_launcher_setgroups can be integrated with other commands to enhance its functionality. For example:

• Find Processes with Specific Capabilities: Use cap_launcher_show to identify processes with specific capabilities, then selectively adjust their access using cap_launcher_setgroups.

Related Commands

• cap_launcher_show: Displays group access lists for specified capabilities.
• getcap: Gets capabilities of a specified file or process.
• setcap: Sets capabilities of a specified file or process.