capng_apply - Linux


capng_apply grants or revokes Linux capabilities on a running process or a set of processes. It allows fine-grained control over system privileges, enhancing security by minimizing the attack surface.


capng_apply [-i] [-F] [-g N] [-a N] [-r N] -c P process
capng_apply [-i] [-F] [-g N] [-a N] [-r N] -c S socket


  • -i: Inherit capabilities from the parent process.
  • -F: Follow the process tree and apply to child processes.
  • -g N: Grant capability N.
  • -a N: Add capability N to the existing set.
  • -r N: Remove capability N from the existing set.
  • -c P: Specify process ID.
  • -c S: Specify socket descriptor.


Grant CAP_SYS_ADMIN to process 1000:

capng_apply -g 1000 -c S 1000

Remove CAP_NET_ADMIN from socket 5:

capng_apply -r 12 -c P 5

Add CAP_SETUID to all processes in the process tree of PID 100:

capng_apply -F -a 2000 -c P 100

Common Issues

  • Permission denied: Ensure the calling process has sufficient privileges to modify capabilities.
  • Socket descriptor invalid: Verify the socket descriptor is valid and refers to an active socket.


capng_apply can be combined with utilities like find and xargs for batch operations:

find /proc -type f -name cmdline | grep -q python | xargs -n 1 -P 0 capng_apply -F -g 37

Related Commands