capng_change_id - Linux


The capng_change_id command sets the user’s capabilities and GID/SID. This is typically used to gain elevated privileges or switch users.


capng_change_id [options] CAP_SET... [CAP_SET...]


  • -e: Execute the specified capabilities as soon as possible.
  • -E: Execute the specified capabilities, overwriting existing capabilities.
  • -f: Flush capabilities after execution.
  • -g GID: Set the GID to the specified value.
  • -p: Preserve the current capabilities.
  • -r: Remove the specified capabilities.
  • -s SID: Set the SID to the specified value.
  • -u UID: Set the UID to the specified value.
  • -h: Display help and exit.


Create a new user with specific capabilities:

capng_change_id -u 1000 -g 1000 CAP_SET=cap_sys_admin

Execute a command with elevated privileges:

capng_change_id -e CAP_SET=cap_sys_admin my_command

Drop all capabilities and run a command:

capng_change_id -r CAP_SET=ALL -E CAP_SET=NONE my_command

Common Issues

  • Incorrect permissions: Ensure that the user has the necessary permissions to set capabilities.
  • Invalid capability: Verify that the specified capabilities are valid.
  • User not found: Make sure that the specified user exists.


capng_change_id can be combined with other commands to achieve more complex tasks. For example, the following command creates a new user with elevated privileges:

useradd -m user && capng_change_id -u user -g user CAP_SET=cap_sys_admin

Related Commands

  • setcap – set capabilities on files
  • getcap – get capabilities from files
  • cap_get_proc – get capabilities of a process