{ "mode": "man", "parameter": "setcap", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/setcap/8/json", "generated": "2026-06-03T01:22:12Z", "synopsis": "setcap [-q] [-n ] [-v] {capabilities|-|-r} filename [ ... capabilitiesN fileN ]", "sections": { "NAME": { "content": "setcap - set file capabilities\n", "subsections": [] }, "SYNOPSIS": { "content": "setcap [-q] [-n ] [-v] {capabilities|-|-r} filename [ ... capabilitiesN fileN ]\n", "subsections": [] }, "DESCRIPTION": { "content": "In the absence of the -v (verify) option setcap sets the capabilities of each specified file‐\nname to the capabilities specified. The optional -n argument can be used to set\nthe file capability for use only in a user namespace with this root user ID owner. The -v op‐\ntion is used to verify that the specified capabilities are currently associated with the\nfile. If -v and -n are supplied, the -n argument is also verified.\n\nThe capabilities are specified in the form described in capfromtext(3).\n\nThe special capability string, '-', can be used to indicate that capabilities are read from\nthe standard input. In such cases, the capability set is terminated with a blank line.\n\nThe special capability string, '-r', is used to remove a capability set from a file. Note,\nsetting an empty capability set is not the same as removing it. An empty set can be used to\nguarantee a file is not executed with privilege in spite of the fact that the prevailing am‐\nbient+inheritable sets would otherwise bestow capabilities on executed binaries.\n\nThe -q flag is used to make the program less verbose in its output.\n", "subsections": [] }, "EXIT CODE": { "content": "The setcap program will exit with a 0 exit code if successful. On failure, the exit code is\n1.\n", "subsections": [] }, "REPORTING BUGS": { "content": "Please report bugs via:\n\nhttps://bugzilla.kernel.org/buglist.cgi?component=libcap&listid=1047723&product=Tools&reso‐\nlution=---\n", "subsections": [] }, "SEE ALSO": { "content": "capfromtext(3), capgetfile(3), capabilities(7), usernamespaces(7), getcap(8)\n\n\n\n2020-01-07 SETCAP(8)", "subsections": [] } }, "summary": "setcap - set file capabilities", "flags": [], "examples": [], "see_also": [ { "name": "capfromtext", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/capfromtext/3/json" }, { "name": "capgetfile", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/capgetfile/3/json" }, { "name": "capabilities", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/capabilities/7/json" }, { "name": "usernamespaces", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/usernamespaces/7/json" }, { "name": "getcap", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/getcap/8/json" } ], "tldr": { "source": "official", "description": "Set capabilities of specified file.", "examples": [ { "description": "Set capability `cap_net_raw` (to use RAW and PACKET sockets) for a given file", "command": "setcap '{{cap_net_raw}}' {{path/to/file}}" }, { "description": "Set multiple capabilities on a file (`ep` behind the capability means \"effective permitted\")", "command": "setcap '{{cap_dac_read_search,cap_sys_tty_config+ep}}' {{path/to/file}}" }, { "description": "Remove all capabilities from a file", "command": "setcap -r {{path/to/file}}" }, { "description": "Verify that the specified capabilities are currently associated with the specified file", "command": "setcap -v '{{cap_net_raw}}' {{path/to/file}}" }, { "description": "The optional `-n root_uid` argument can be used to set the file capability for use only in a user namespace with this root user ID owner", "command": "setcap -n {{root_uid}} '{{cap_net_admin}}' {{path/to/file}}" } ] } }