cap_mode - Linux
Overview
cap_mode is a command-line utility used to set, get, and manipulate capability modes for Linux processes. Capability modes are special privileges that can be granted or revoked from processes, allowing them to perform specific actions normally reserved for root-level users.
Syntax
cap_mode [-g | -s] [-e | -d] CAP_MODE PID [PID ...]
Options/Flags
-
-g: Get the current capability mode settings for the specified process(es).
-
-s: Set the capability mode settings for the specified process(es).
-
-e: Enable the specified capability mode for the specified process(es).
-
-d: Disable the specified capability mode for the specified process(es).
-
CAP_MODE: The capability mode to set, get, enable, or disable. Possible modes include:
- CAP_CHOWN: Allow the process to change file ownership.
- CAP_DAC_OVERRIDE: Allow the process to override file permission checks.
- CAP_FSETID: Allow the process to set the file set-user-ID flag.
-
PID: One or more process IDs for which to set, get, enable, or disable capability modes.
Examples
Get the current capability mode settings for process 1234:
$ cap_mode -g CAP_DAC_OVERRIDE 1234
Set the CAP_FSETID capability mode for process 1234:
$ cap_mode -s CAP_FSETID 1234
Disable the CAP_CHOWN capability mode for processes 1234 and 1235:
$ cap_mode -d CAP_CHOWN 1234 1235
Enable the CAP_DAC_OVERRIDE capability mode for all processes:
$ cap_mode -e CAP_DAC_OVERRIDE -1
Common Issues
- Operation not permitted: The user does not have sufficient privileges to set or get capability modes for the specified process.
- Invalid capability: The specified capability mode is not valid or is not supported on the current system.
- Process not found: The specified process ID does not exist.
Integration
cap_mode can be used in conjunction with other Linux commands to perform advanced tasks, such as:
- seccomp: Use capability modes to restrict the system calls that a process can make.
- chroot: Use capability modes to confine a process to a specific directory hierarchy.
Related Commands
- setcap
- getcap
- chattr
- lscap