capng_change_id - Linux
Overview
The capng_change_id
command sets the user’s capabilities and GID/SID. This is typically used to gain elevated privileges or switch users.
Syntax
capng_change_id [options] CAP_SET... [CAP_SET...]
Options/Flags
- -e: Execute the specified capabilities as soon as possible.
- -E: Execute the specified capabilities, overwriting existing capabilities.
- -f: Flush capabilities after execution.
- -g GID: Set the GID to the specified value.
- -p: Preserve the current capabilities.
- -r: Remove the specified capabilities.
- -s SID: Set the SID to the specified value.
- -u UID: Set the UID to the specified value.
- -h: Display help and exit.
Examples
Create a new user with specific capabilities:
capng_change_id -u 1000 -g 1000 CAP_SET=cap_sys_admin
Execute a command with elevated privileges:
capng_change_id -e CAP_SET=cap_sys_admin my_command
Drop all capabilities and run a command:
capng_change_id -r CAP_SET=ALL -E CAP_SET=NONE my_command
Common Issues
- Incorrect permissions: Ensure that the user has the necessary permissions to set capabilities.
- Invalid capability: Verify that the specified capabilities are valid.
- User not found: Make sure that the specified user exists.
Integration
capng_change_id
can be combined with other commands to achieve more complex tasks. For example, the following command creates a new user with elevated privileges:
useradd -m user && capng_change_id -u user -g user CAP_SET=cap_sys_admin
Related Commands
setcap
– set capabilities on filesgetcap
– get capabilities from filescap_get_proc
– get capabilities of a process