capsh
Explore and constrain Linux capabilities
TLDR
Display current capability state
$ capsh --print
Show what a capability does$ capsh --explain=[cap_net_admin]
Decode capability hex value$ capsh --decode=[0x20]
Drop all capabilities and run shell$ capsh --drop=all -- -c "[command]"
Run command with specific capabilities$ capsh --caps="[cap_net_raw+ep]" -- -c "[command]"
Check if capability is supported$ capsh --supports=[cap_sys_admin]
Chroot and run command$ capsh --chroot=[/path] -- -c "[command]"
SYNOPSIS
capsh [options]
DESCRIPTION
capsh is a capability shell wrapper for exploring and constraining Linux capability support. It provides testing, debugging, and environment creation for Linux process capabilities. Part of the libcap package.
PARAMETERS
--print
Display prevailing capability and related state--current
Display capability state with 1e capabilities and IAB vector--explain=capxxx_
Describe what privileges a capability provides--decode=N
Decode hex capability vector (as in /proc/1/status)--supports=capxxx_
Verify capability exists on system--drop=capxxx_
Remove capability from bounding set--caps=cap-set
Set capabilities to specified text value--inh=cap-set
Set inheritable capabilities--chroot=path
Change root directory (requires CAPSYSCHROOT)--uid=id
Set real and effective user ID--gid=id
Set real and effective group ID--
Execute /bin/bash with trailing arguments
EXIT STATUS
Returns 0 on success, 1 on error.
CAVEATS
Many operations require specific capabilities to perform. Understanding Linux capabilities is essential for effective use.