setcap(8) - man - phpman

Che Dong

Set capabilities of specified file.

Set capability `cap_net_raw` (to use RAW and PACKET sockets) for a given file
setcap '{{cap_net_raw}}' {{path/to/file}}
Set multiple capabilities on a file (`ep` behind the capability means "effective permitted")
setcap '{{cap_dac_read_search,cap_sys_tty_config+ep}}' {{path/to/file}}
Remove all capabilities from a file
setcap -r {{path/to/file}}
Verify that the specified capabilities are currently associated with the specified file
setcap -v '{{cap_net_raw}}' {{path/to/file}}
The optional `-n root_uid` argument can be used to set the file capability for use only in a user namespace with this root user ID owner
setcap -n {{root_uid}} '{{cap_net_admin}}' {{path/to/file}}

SETCAP(8)                              System Manager's Manual                             SETCAP(8)



NAME
       setcap - set file capabilities

SYNOPSIS
       setcap [-q] [-n <rootuid>] [-v] {capabilities|-|-r} filename [ ... capabilitiesN fileN ]

DESCRIPTION
       In the absence of the -v (verify) option setcap sets the capabilities of each specified file‐
       name to the capabilities specified.  The optional -n <rootuid> argument can be  used  to  set
       the file capability for use only in a user namespace with this root user ID owner. The -v op‐
       tion is used to verify that the specified capabilities  are  currently  associated  with  the
       file. If -v and -n are supplied, the -n <rootuid> argument is also verified.

       The capabilities are specified in the form described in cap_from_text(3).

       The  special  capability string, '-', can be used to indicate that capabilities are read from
       the standard input. In such cases, the capability set is terminated with a blank line.

       The special capability string, '-r', is used to remove a capability set from  a  file.  Note,
       setting  an  empty capability set is not the same as removing it. An empty set can be used to
       guarantee a file is not executed with privilege in spite of the fact that the prevailing  am‐
       bient+inheritable sets would otherwise bestow capabilities on executed binaries.

       The -q flag is used to make the program less verbose in its output.

EXIT CODE
       The  setcap  program will exit with a 0 exit code if successful. On failure, the exit code is
       1.

REPORTING BUGS
       Please report bugs via:

       https://bugzilla.kernel.org/buglist.cgi?component=libcap&list_id=1047723&product=Tools&reso‐
       lution=---

SEE ALSO
       cap_from_text(3), cap_get_file(3), capabilities(7), user_namespaces(7), getcap(8)



                                             2020-01-07                                    SETCAP(8)