LinuxCommandLibrary

getcap

Get file capabilities

TLDR

Get capabilities for the given files

$ getcap [path/to/file1 path/to/file2 ...]
copy

Get capabilities for all the files recursively under the given directories
$ getcap -r [path/to/directory1 path/to/directory2 ...]
copy

Display all searched entries even if no capabilities are set
$ getcap -v [path/to/file1 path/to/file2 ...]
copy

SYNOPSIS

getcap [-h] [-v] [-V] [-E=f|d] pathname...

PARAMETERS

-h, --help
    Print short usage message.

-v, --verbose
    Human-readable verbose output format.

-V, --version
    Display libcap version.

-E={f|d}, --encoding={f|d}
    Encoding style: f full (default), d short/deprecated.

DESCRIPTION

getcap is a command-line utility from the libcap package used to retrieve and display the Linux filesystem capabilities associated with one or more specified files or paths. Linux capabilities implement POSIX.1e draft specifications, providing fine-grained privilege control as an alternative to the traditional superuser model. They allow processes to possess specific privileges (e.g., cap_net_raw for raw sockets) without full root access.

Capabilities are stored as extended attributes on executable files and consist of three sets: Permitted (p), Inheritable (i), and Effective (e). The command outputs these in a textual format: brief (script-friendly, single line) or verbose (multi-line, human-readable).

Without options, getcap produces compact output like /bin/ping cap_net_raw=ep, indicating permitted and effective bits for the capability. This helps administrators audit and verify privilege assignments set via setcap. The tool reads kernel-supported VFS capabilities via user-space libcap library.

Common use cases include checking network tools like ping or sshd for bounded privileges, ensuring security compliance, and debugging permission issues. Note that capabilities require filesystem support (e.g., ext4) and are ineffective on non-supporting mounts like NFS without extensions.

CAVEATS

Requires libcap package installation. Capabilities need filesystem extended attribute support (e.g., not VFAT). Output empty if no capabilities set. Run as non-root usually suffices.

EXAMPLE OUTPUT (BRIEF)

getcap /bin/ping
/bin/ping cap_net_raw=ep

EXAMPLE OUTPUT (VERBOSE)

getcap -v /bin/ping
/bin/ping:
cap_net_raw=ep

HISTORY

Developed as part of libcap library (initial release ~1997 by Andrew G. Morgan). Evolved with Linux kernel capabilities in 2.2 (1999); modern tools in libcap2/NG since 2008+. Widely used for privilege separation post-2010 security hardening.

SEE ALSO

setcap(1), getpcaps(8), capsh(1), capabilities(7)

Copied to clipboard