chcap - change file capability sets
chcap [ capsets | -r ] pathname ...
chcap changes the effective, permitted, and inheritable capability sets
of the specified file(s) or removes them. A file's capability sets
affect the capabilities that are assigned to a process upon execution of
the file. For a more complete description of the capability mechanism,
capsets is a string that describes the changes to the file capability
sets. It is comprised of one or more capability lists. Each capability
list has the form:
where capname is a capability name (e.g., CAP_DAC_READ, CAP_DAC_WRITE,
CAP_CHOWN, etc.). The capability name ALL indicates all capabilities.
Capability names may be expressed in either upper or lower case. For a
complete description of available capability names, see capabilities(4).
F is a sequence of one or more flags chosen from "e", "i", "p" indicating
which file capability sets are to be affected. "e" indicates the
effective capability set, "p" the permitted capability set, and "i" the
inherited capability set.
O is the operation chosen from "=","+","-", indicating to initialize,
add, or delete the specified capabilities in the affected capability
If multiple capability lists are specified in capsets, each capability
list must be separated by white space, and the entire capsets string must
be escaped from shell interpretation (i.e. enclosed in quotes).
Specifying all= as a prefix within the capsets string clears all current
capability sets prior to processing the remainder of the string.
The capability sets of a file can be displayed using the ls(1) -P option.
The -r option is used to entirely remove all capability sets on the
chcap CAP_DAC_WRITE-p file
Removes CAP_DAC_WRITE from the file's permitted capability set.
chcap CAP_DAC_WRITE=p file
Initializes the file's permitted capability set to contain only
chcap "all= CAP_DAC_WRITE=p" file
Clears all of the file's capability sets, and initializes the file's
permitted capability set to contain only CAP_DAC_WRITE.
chcap CAP_CHOWN+p file
Adds CAP_CHOWN to the file's permitted capability set.
chcap "CAP_DAC_READ+pi CAP_DAC_WRITE+p" file
Adds CAP_DAC_READ and CAP_DAC_WRITE to file's the permitted capability
set, and adds CAP_DAC_READ to the file's inherited capability set.
chcap -r file
Removes the capability sets on the file.
capabilities(4), capability(4), ls(1).
PPPPaaaaggggeeee 2222 [ Back ]