capsh command
capsh provides a capability shell wrapper to test Linux capabilities
Typical usage: diagnosing permission issues, hardening of system services, binary and process analysisIntroduction into capsh
The capsh is very helpful utility on Linux to learn more about Linux capabilities. It can display active capabilities and show information about them. The tool can also run other commands and show or define which Linux capabilities are applicable. This makes the tool useful for a wide range of tasks, such as troubleshooting, but also when you want to learn more about how processes are running. This information is useful when using containers, or securing Linux services with the systemd unit settings, such as CapabilityBoundingSet.
Installation
When capsh is not installed by default, it can be added to the system using the relevant software package.
Package information for capsh
| Operating system | Package name | Installation |
|---|---|---|
| AlmaLinux | libcap | |
| Arch Linux | libcap | |
| Debian | libcap2-bin | |
| Fedora | libcap | |
| Red Hat Enterprise Linux | libcap | |
| Rocky Linux | libcap | |
| openSUSE | libcap-progs | |
| Ubuntu | libcap2-bin | |
Your Linux distribution using a different package? Share your feedback.
Usage
Available options
| Option | Description |
|---|---|
| --addamb=CAPABILITY | Add a capability to the set of ambient capabilities |
| --decode=VALUE | Decode the value of a capability-related field in /proc/PID/status such as CapInh, CapPrm, CapEff, CapBnd, CapAmb |
| --delamb=CAPABILITY | Drop a capability from the set of ambient capabilities |
| --explain=CAPABILITY | Show a description of the selected capability |
| --noamb | Drop ambient capabilities |
| Show current capabilities, securebits, user and group information |
Missing an option in this overview? Share your feedback.
Examples using capsh
Basics
Show capability bounding set, ambient capabilities set, securebits, user ID and group ID.
capsh --printRun a command and show the related capability details, secure bits, and user and group information.
capsh --print -- -c "sudo ps"Supportive and informational commands
Provide a description of the selected capability
capsh --explain=cap_net_bind_serviceSearch for a capability that contains a particular word in its name or description.
capsh --suggest=portFrequently Asked Questions
What is the capsh command and its purpose?
The capsh command is a command-line tool that provides a capabability shell wrapper. It helps helps with testing Linux capabilities and provides several options to show information, perform analysis on binaries and processes, and diganosing permission issues.
Which package provides the capsh command?
The command capsh is provided by the libcap, libcap-progs, or libcap2-bin package.
Relevant articles using the capsh command
The following articles include an example on how to use capsh and might be worth further exploring.
Related and similar commands
Linux has a lot of tools and commands available and sometimes you just need that little other tool. Here is a list of commands that are similar or related to capsh:
| Command | Category | Summary |
|---|---|---|
| captest | capabilities | Capabilities and privilege escalation testing tool |
| filecap | capabilities | Display of Linux capabilities set on binaries in paths |
| firejail | sandboxing | Sandboxing tool for Linux |
| getcap | capabilities | Show file capabilities |
| getpcaps | capabilities | Show process capabilities |
| netcap | capabilities | Display available capabilities for running processes using network sockets |
| pscap | capabilities | Display available capabilities for running processes |
| setcap | capabilities | Add or remove Linux capabilities to a file |