mirror/libcap
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/libs/libcap/libcap.git synced 2026-01-28 18:34:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
libcap/doc/getcap.8
Andrew G. Morgan ac8d461a2c Make it harder to set invalid capabilities on files. 
This change introduces the setcap -f argument to allow setting
of nonsense capabilities on files. But the default is to fail
when attempting to set such invalid capabilities.

This commit addresses:

  https://bugzilla.kernel.org/show_bug.cgi?id=217592

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
2023-06-24 22:24:00 -07:00

66 lines
1.7 KiB
Groff
Raw Permalink Blame History

.\" originally written by Andrew Main <zefram@dcs.warwick.ac.uk>
.TH GETCAP 8 "2021-08-29"
.SH NAME
getcap \- examine file capabilities
.SH SYNOPSIS
\fBgetcap\fP [\-v] [\-n] [\-r] [\-h] \fIfilename\fP [ ... ]
.SH DESCRIPTION
.B getcap
displays the name and capabilities of each specified file.
.SH OPTIONS
.TP 4
.B \-h
prints quick usage.
.TP 4
.B \-n
prints any non-zero user namespace root user ID value
found to be associated with
a file's capabilities.
.TP 4
.B \-r
enables recursive search.
.TP 4
.B \-v
display all searched entries, even if the have no file-capabilities.
.PP
NOTE: an
.I empty
value of
.B '='
is
.B not
equivalent to an omitted (or removed) capability on a
file. This is most significant with respect to the Ambient capability
vector, since a process with Ambient capabilities will lose them when
executing a file having
.B '='
capabilities, but will retain the Ambient inheritance of privilege
when executing a file with an omitted file capability. This special
.I empty
setting can be used to prevent a binary from executing with
privilege. For some time, the kernel honored this suppression for root
executing the file, but the kernel developers decided after a number
of years that this behavior was unexpected for the superuser and
reverted it just for that user identity. Suppression of root
privilege, for a process tree, is possible, using the
.BR capsh (1)
.B \-\-mode
option.
.TP 4
.IR filename
One file per line.
.SH "REPORTING BUGS"
Please report bugs via:
.TP
https://bugzilla.kernel.org/buglist.cgi?component=libcap&list_id=1090757
.SH "SEE ALSO"
.BR capsh (1),
.BR cap_get_file (3),
.BR cap_to_text (3),
.BR capabilities (7),
.BR user_namespaces (7),
.BR captree (8),
.BR getpcaps (8)
and
.BR setcap (8).
Reference in New Issue View Git Blame Copy Permalink