getcap

Get capabilities for the given files

$ getcap [path/to/file1 path/to/file2 ...]

$ getcap -r [path/to/directory1 path/to/directory2 ...]

$ getcap -v [path/to/file1 path/to/file2 ...]

getcap [-v] [-r] [-n] [-P] filename [...]]
getcap [-v] -p PID

-v
    Verbose mode. Displays more information, such as parsing warnings or when capabilities are being applied.

-r
    Recursive mode. When a directory is specified, it recursively traverses the directory and displays capabilities for all files and subdirectories.

-n
    Numeric output. Displays capabilities in their numeric form rather than symbolic names.

-p PID
    Process capabilities. Displays the capabilities of a running process identified by its Process ID (PID). This shows the Effective, Permitted, and Inheritable capability sets of the process.

-P
    Capability as a specific permission set string. When used for files, this option tries to output the capability as a permission set string, making it more human-readable.

The getcap command is used to inspect file capabilities and, less commonly, process capabilities on a Linux system. Capabilities are a security feature that allows a process to be granted a subset of the privileges normally associated with the root user, rather than granting full root access. This mechanism enables more fine-grained control over permissions, reducing the attack surface compared to traditional SUID/SGID binaries.

When applied to files, capabilities allow non-root users to execute specific programs with certain elevated privileges. For example, a program might be granted the CAP_NET_RAW capability to create raw sockets without requiring the entire program to run as root. getcap reads the extended attributes of a file to display these assigned capabilities, showing how the system grants specific powers to executables. It is often used in conjunction with the setcap command, which is used to assign or remove capabilities from files. Understanding a file's capabilities is crucial for auditing security and troubleshooting permission-related issues.

Capabilities are supported by the Linux kernel from version 2.2 onwards and require filesystem support for extended attributes (e.g., ext2/3/4, XFS, Btrfs). NFS and some other network filesystems may not support them directly.

Incorrectly applied capabilities can introduce security vulnerabilities by granting unnecessary privileges to non-root users or programs. It is crucial to understand the implications of each capability.

The effectiveness of capabilities can be limited by kernel settings (e.g., sysctl kernel.grsecurity.rlimits_enforce).

Capabilities are intrinsically linked to the security context of a file or process. For files, they are stored as extended attributes (xattrs). For processes, they exist in the process's credential structure. getcap provides visibility into these crucial security attributes, which are otherwise opaque to standard ls -l commands.

While capabilities offer a more granular alternative, SUID/SGID bits can still coexist. However, capabilities are generally preferred for specific privilege grants because they allow for auditing and restrict privileges to only what's necessary, whereas SUID grants full root privileges to the executing process.

The concept of capabilities was introduced in Linux kernel 2.2 to replace the traditional coarse-grained superuser (root) model with a finer-grained permission system. It was developed as part of the libcap project, which provides the necessary user-space tools and libraries to manipulate and query process and file capabilities. The getcap command emerged as a vital component of this suite, allowing administrators and developers to inspect the privileges associated with executables, helping to audit and secure systems by reducing the reliance on SUID binaries. Its development has been intertwined with the evolution of Linux security mechanisms, aiming to provide more robust and controlled privilege management.

setcap(8) - Set file capabilities, cap_from_text(3) - Convert textual representation of capabilities to internal form, capabilities(7) - Overview of Linux capabilities