capsh

capsh [--print] [--caps=<cap-set>] [--drop=<cap-set>] [--add=<cap-set>] [--bounding=<cap-set>] [--inh=<cap-set>] [--ambient[=<cap-set>]] [--user=<uid>] [--group=<gid>] [--uid=<uid>] [--gid=<gid>] [--securebits=<num>] [--insecure] [--no-ambient] [--forkexec=<cmd>] [--exec=<cmd> [<arg>...]] [-c <cmd> [<arg>...]] [--help] [--version]

--print
    Print current process capabilities

--caps=<cap-set>
    Set permitted and effective capabilities

--drop=<cap-set>
    Drop specified capabilities from bounding/permitted sets

--add=<cap-set>
    Add capabilities to permitted set

--bounding=<cap-set>
    Set bounding capability set

--inh=<cap-set>
    Set inheritable capabilities

--ambient[=<cap-set>]
    Raise/lower ambient capabilities

--user=<uid>
    Set UID before capability drops

--group=<gid>
    Set GID before drops

--uid=<uid>
    Change UID after drops

--gid=<gid>
    Change GID after drops

--securebits=<num>
    Set securebits value

--insecure
    Unset all securebits

--no-ambient
    Clear ambient capabilities

--forkexec=<cmd>
    Fork and exec command preserving capabilities

--exec=<cmd> [<arg>...]
    Exec command with args

-c <cmd> [<arg>...]
    Exec command via shell

--help
    Display help

--version
    Show version info

Capsh is a versatile command-line utility from the libcap package for testing and manipulating Linux capabilities. Capabilities offer fine-grained privilege control, allowing processes specific superuser-like powers without full root access.

It enables inspection of current process capability sets (permitted, inheritable, effective, bounding, and ambient), modification by dropping or adding capabilities, user/group ID changes, securebits adjustments, and execution of commands under altered privilege contexts. This is invaluable for developers verifying capability-aware binaries, security audits, and running services with least privilege.

Common workflows include printing capabilities with --print, dropping unneeded ones like --drop=CAP_SYS_ADMIN, and spawning shells or apps via -c or --exec. Ambient capabilities (Linux 4.3+) ensure inheritance across execve. Capsh simulates scenarios without risking system stability, aiding debugging of setuid/setgid behaviors and bounding set inheritance.

Requires kernel capabilities support (CONFIG_SECURITY_FILE_CAPABILITIES); ambient needs Linux 4.3+. Dropping capabilities is irreversible. Test in non-production environments. Not for production privilege reduction—use setcap(8) for files.

Caps specified as cap_name or cap_name[+|-]=value, e.g., cap_sys_admin=pe (permitted/effective). Use capsh --print for current sets.
See capabilities(7).

capsh --print (view caps)
capsh --drop=CAP_SYS_ADMIN --user=1000 -c '/bin/bash' (drop admin cap, drop to user 1000, spawn shell)
capsh --ambient=cap_net_bind_service --exec=nginx (inherit bind port cap).

Introduced in libcap2 (circa 2006-2008) by Andrew G. Morgan as a test harness for POSIX.1e/Linux capabilities, evolving with kernel features like ambient sets (2015). Maintained in libcap-ng/libcap2 distributions.

getcap(1), setcap(8), capabilities(7), prctl(2)