capng_apply - Linux
Overview
capng_apply
grants or revokes Linux capabilities on a running process or a set of processes. It allows fine-grained control over system privileges, enhancing security by minimizing the attack surface.
Syntax
capng_apply [-i] [-F] [-g N] [-a N] [-r N] -c P process
capng_apply [-i] [-F] [-g N] [-a N] [-r N] -c S socket
Options/Flags
-i
: Inherit capabilities from the parent process.-F
: Follow the process tree and apply to child processes.-g N
: Grant capabilityN
.-a N
: Add capabilityN
to the existing set.-r N
: Remove capabilityN
from the existing set.-c P
: Specify process ID.-c S
: Specify socket descriptor.
Examples
Grant CAP_SYS_ADMIN
to process 1000:
capng_apply -g 1000 -c S 1000
Remove CAP_NET_ADMIN
from socket 5:
capng_apply -r 12 -c P 5
Add CAP_SETUID
to all processes in the process tree of PID 100:
capng_apply -F -a 2000 -c P 100
Common Issues
- Permission denied: Ensure the calling process has sufficient privileges to modify capabilities.
- Socket descriptor invalid: Verify the socket descriptor is valid and refers to an active socket.
Integration
capng_apply
can be combined with utilities like find
and xargs
for batch operations:
find /proc -type f -name cmdline | grep -q python | xargs -n 1 -P 0 capng_apply -F -g 37
Related Commands
getcap
setcap
- capabilities(7)