SETCAP: Set File Capabilities
Introduction
Setcap is a powerful tool that enables administrators to control the capabilities of files in Linux systems. By setting capabilities, administrators can grant or revoke specific privileges to users or processes, allowing them to perform actions that would normally require root access.
Usage
The general syntax of setcap is: ``` setcap [-qnv] [-f capability-set] [--capability-set=capability-set] [-r] [--restore] [--help] {--remove-capabilities capabilities} {--set-capabilities capabilities} files... ``` Where: * `-q`: Quiet mode, suppress normal output but still show warnings and errors. * `-n`: Verify mode, check the requested operation but do not actually perform it. * `-v`: Verbose mode, print additional information about the operation being performed. * `-f`: File containing a capability set. * `--capability-set`: Specify a capability set to apply to the files. * `-r`: Restore capabilities from backup files. * `--restore`: Restore capabilities from backup files. * `--help`: Print help information. * `--remove-capabilities`: Remove specified capabilities from the files. * `--set-capabilities`: Set specified capabilities for the files. * `files...`: The files to which the capability operations will be applied.
Examples
To set the `CAP_SYS_ADMIN` capability for the file `/bin/bash`: ``` setcap cap_sys_admin+ep /bin/bash ``` To remove all capabilities from the file `/usr/bin/passwd`: ``` setcap -r /usr/bin/passwd ``` To verify the capabilities of the file `/usr/bin/sudo`: ``` setcap -v /usr/bin/sudo ```
Comments