capng_change_id - Linux

Overview

The capng_change_id command sets the user’s capabilities and GID/SID. This is typically used to gain elevated privileges or switch users.

Syntax

capng_change_id [options] CAP_SET... [CAP_SET...]

Options/Flags

• -e: Execute the specified capabilities as soon as possible.
• -E: Execute the specified capabilities, overwriting existing capabilities.
• -f: Flush capabilities after execution.
• -g GID: Set the GID to the specified value.
• -p: Preserve the current capabilities.
• -r: Remove the specified capabilities.
• -s SID: Set the SID to the specified value.
• -u UID: Set the UID to the specified value.
• -h: Display help and exit.

Examples

Create a new user with specific capabilities:

capng_change_id -u 1000 -g 1000 CAP_SET=cap_sys_admin

Execute a command with elevated privileges:

capng_change_id -e CAP_SET=cap_sys_admin my_command

Drop all capabilities and run a command:

capng_change_id -r CAP_SET=ALL -E CAP_SET=NONE my_command

Common Issues

• Incorrect permissions: Ensure that the user has the necessary permissions to set capabilities.
• Invalid capability: Verify that the specified capabilities are valid.
• User not found: Make sure that the specified user exists.

Integration

capng_change_id can be combined with other commands to achieve more complex tasks. For example, the following command creates a new user with elevated privileges:

useradd -m user && capng_change_id -u user -g user CAP_SET=cap_sys_admin

Related Commands

• setcap – set capabilities on files
• getcap – get capabilities from files
• cap_get_proc – get capabilities of a process