capng_have_capability - Linux
Overview
The capng_have_capability
command examines a capability set and reports whether a specified capability is present. It’s primarily used for checking if a process has specific capabilities, typically in security-sensitive contexts or privilege escalation scenarios.
Syntax
capng_have_capability CAPABILITY_SET CAPABILITY
Parameters
- CAPABILITY_SET: The capability set to be examined, typically represented as a comma-separated list of capability names or as a hexadecimal mask.
- CAPABILITY: The specific capability to check for, using a capability name or a decimal value.
Options/Flags
This command has no specific options or flags.
Examples
Check if the current process has the CAP_SYS_ADMIN
capability:
capng_have_capability "`cap_get_proc()" CAP_SYS_ADMIN
Examine if a capability set contains the CAP_NET_BIND_SERVICE
capability:
capng_have_capability "11e0000,cap_net_bind_service+ep" CAP_NET_BIND_SERVICE
Common Issues
- Ensure that the specified capability set is valid and adheres to the standard format.
- Verify that the specified capability is recognized by the system and supported for examination.
- Be aware that the presence or absence of a capability may vary depending on the process’s privileges and the security policy in place.
Integration
This command can be integrated into scripts or automation processes that require capability checking. It can be combined with other commands, such as capng_get_proc()
to retrieve a process’s capability set or capng_print()
to display a capability set in a human-readable format.
Related Commands
capng_get_proc()
capng_print()
getcap()