getcap - Man Page
examine file capabilities
Examples (TL;DR)
- Get capabilities for the given files:
getcap path/to/file1 path/to/file2 ... - Get capabilities for all the files recursively under the given directories:
getcap -r path/to/directory1 path/to/directory2 ... - Displays all searched entries even if no capabilities are set:
getcap -v path/to/file1 path/to/file2 ...
Synopsis
Description
getcap displays the name and capabilities of each specified file.
Options
- -h
prints quick usage.
- -n
prints any non-zero user namespace root user ID value found to be associated with a file's capabilities.
- -r
enables recursive search.
- -v
display all searched entries, even if the have no file-capabilities.
NOTE: an empty value of '=' is not equivalent to an omitted (or removed) capability on a file. This is most significant with respect to the Ambient capability vector, since a process with Ambient capabilities will lose them when executing a file having '=' capabilities, but will retain the Ambient inheritance of privilege when executing a file with an omitted file capability. This special empty setting can be used to prevent a binary from executing with privilege. For some time, the kernel honored this suppression for root executing the file, but the kernel developers decided after a number of years that this behavior was unexpected for the superuser and reverted it just for that user identity. Suppression of root privilege, for a process tree, is possible, using the capsh(1) --mode option.
- filename
One file per line.
Reporting Bugs
Please report bugs via:
https://bugzilla.kernel.org/buglist.cgi?component=libcap&list_id=1090757
See Also
capsh(1), cap_get_file(3), cap_to_text(3), capabilities(7), user_namespaces(7), captree(8), getpcaps(8) and setcap(8).
Referenced By
capabilities(7), capsh(1), getpcaps(8), libcap(3), setcap(8).