{ "content": [ { "type": "text", "text": "# setcap(8) (man)\n\n## TLDR\n\n> Set capabilities of specified file.\n\n- Set capability `cap_net_raw` (to use RAW and PACKET sockets) for a given file:\n `setcap '{{cap_net_raw}}' {{path/to/file}}`\n- Set multiple capabilities on a file (`ep` behind the capability means \"effective permitted\"):\n `setcap '{{cap_dac_read_search,cap_sys_tty_config+ep}}' {{path/to/file}}`\n- Remove all capabilities from a file:\n `setcap -r {{path/to/file}}`\n- Verify that the specified capabilities are currently associated with the specified file:\n `setcap -v '{{cap_net_raw}}' {{path/to/file}}`\n- The optional `-n root_uid` argument can be used to set the file capability for use only in a user namespace with this root user ID owner:\n `setcap -n {{root_uid}} '{{cap_net_admin}}' {{path/to/file}}`\n\n*Source: tldr-pages*\n\n---\n\n**Summary:** setcap - set file capabilities\n\n**Synopsis:** setcap [-q] [-n ] [-v] {capabilities|-|-r} filename [ ... capabilitiesN fileN ]\n\n## See Also\n\n- capfromtext(3)\n- capgetfile(3)\n- capabilities(7)\n- usernamespaces(7)\n- getcap(8)\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **SYNOPSIS** (2 lines)\n- **DESCRIPTION** (18 lines)\n- **EXIT CODE** (3 lines)\n- **REPORTING BUGS** (5 lines)\n- **SEE ALSO** (5 lines)\n\n## Full Content\n\n### NAME\n\nsetcap - set file capabilities\n\n### SYNOPSIS\n\nsetcap [-q] [-n ] [-v] {capabilities|-|-r} filename [ ... capabilitiesN fileN ]\n\n### DESCRIPTION\n\nIn the absence of the -v (verify) option setcap sets the capabilities of each specified file‐\nname to the capabilities specified. The optional -n argument can be used to set\nthe file capability for use only in a user namespace with this root user ID owner. The -v op‐\ntion is used to verify that the specified capabilities are currently associated with the\nfile. If -v and -n are supplied, the -n argument is also verified.\n\nThe capabilities are specified in the form described in capfromtext(3).\n\nThe special capability string, '-', can be used to indicate that capabilities are read from\nthe standard input. In such cases, the capability set is terminated with a blank line.\n\nThe special capability string, '-r', is used to remove a capability set from a file. Note,\nsetting an empty capability set is not the same as removing it. An empty set can be used to\nguarantee a file is not executed with privilege in spite of the fact that the prevailing am‐\nbient+inheritable sets would otherwise bestow capabilities on executed binaries.\n\nThe -q flag is used to make the program less verbose in its output.\n\n### EXIT CODE\n\nThe setcap program will exit with a 0 exit code if successful. On failure, the exit code is\n1.\n\n### REPORTING BUGS\n\nPlease report bugs via:\n\nhttps://bugzilla.kernel.org/buglist.cgi?component=libcap&listid=1047723&product=Tools&reso‐\nlution=---\n\n### SEE ALSO\n\ncapfromtext(3), capgetfile(3), capabilities(7), usernamespaces(7), getcap(8)\n\n\n\n2020-01-07 SETCAP(8)\n\n" } ], "structuredContent": { "command": "setcap", "section": "8", "mode": "man", "summary": "setcap - set file capabilities", "synopsis": "setcap [-q] [-n ] [-v] {capabilities|-|-r} filename [ ... capabilitiesN fileN ]", "tldr_summary": "Set capabilities of specified file.", "tldr_examples": [ { "description": "Set capability `cap_net_raw` (to use RAW and PACKET sockets) for a given file", "command": "setcap '{{cap_net_raw}}' {{path/to/file}}" }, { "description": "Set multiple capabilities on a file (`ep` behind the capability means \"effective permitted\")", "command": "setcap '{{cap_dac_read_search,cap_sys_tty_config+ep}}' {{path/to/file}}" }, { "description": "Remove all capabilities from a file", "command": "setcap -r {{path/to/file}}" }, { "description": "Verify that the specified capabilities are currently associated with the specified file", "command": "setcap -v '{{cap_net_raw}}' {{path/to/file}}" }, { "description": "The optional `-n root_uid` argument can be used to set the file capability for use only in a user namespace with this root user ID owner", "command": "setcap -n {{root_uid}} '{{cap_net_admin}}' {{path/to/file}}" } ], "tldr_source": "official", "flags": [], "examples": [], "see_also": [ { "name": "capfromtext", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/capfromtext/3/json" }, { "name": "capgetfile", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/capgetfile/3/json" }, { "name": "capabilities", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/capabilities/7/json" }, { "name": "usernamespaces", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/usernamespaces/7/json" }, { "name": "getcap", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/getcap/8/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 18, "subsections": [] }, { "name": "EXIT CODE", "lines": 3, "subsections": [] }, { "name": "REPORTING BUGS", "lines": 5, "subsections": [] }, { "name": "SEE ALSO", "lines": 5, "subsections": [] } ] } }