LinuxCommandLibrary

setcap

Grant capabilities to executables

TLDR

Set capability cap_net_raw (to use RAW and PACKET sockets) for a given file

$ setcap '[cap_net_raw]' [path/to/file]
copy

Set multiple capabilities on a file (ep behind the capability means "effective permitted")
$ setcap '[cap_dac_read_search,cap_sys_tty_config+ep]' [path/to/file]
copy

Remove all capabilities from a file
$ setcap -r [path/to/file]
copy

Verify that the specified capabilities are currently associated with the specified file
$ setcap -v '[cap_net_raw]' [path/to/file]
copy

The optional -n root_uid argument can be used to set the file capability for use only in a user namespace with this root user ID owner
$ setcap -n [root_uid] '[cap_net_admin]' [path/to/file]
copy

SYNOPSIS

setcap [options] capabilities filename...
setcap [options] -r filename...

PARAMETERS

capabilities
    A comma-separated list of capability specifications (e.g., `cap_net_bind_service=+ep`). Capabilities can be added (`+`), removed (`-`), or assigned directly (`=`). The letters p, e, i denote Permitted, Effective, and Inheritable sets respectively. This argument is required unless using the -r option.

filename
    The path to the executable file(s) on which capabilities are to be set or removed. Multiple files can be specified.

-q
    Be quiet; suppress non-error messages.

-v
    Be verbose; display changes and diagnostics.

-r
    Remove all capabilities from the specified file(s). This option mutually excludes the capabilities argument.

DESCRIPTION

The setcap command is a utility used in Linux to manipulate file capabilities. Linux capabilities are a security feature that partitions the traditional Unix superuser privileges (those of the root user) into distinct units. Instead of granting a program full root access to perform a specific privileged operation, only the exact capabilities required for that task can be granted. For example, a program might need to bind to a low-numbered network port (like 80 or 443) without needing all root privileges.

setcap allows administrators to assign these specific capabilities to an executable file. When such a file is executed by any user, it gains the specified capabilities, enabling it to perform the otherwise privileged operations. This mechanism significantly enhances system security by enforcing the principle of least privilege, reducing the attack surface compared to running entire applications as the root user. It's an essential tool for privilege separation and hardening Linux systems.

CAVEATS

Only applies to regular executable files; capabilities cannot be set on directories, symlinks, or typically on scripts (as the interpreter, not the script, receives capabilities).
Capabilities are associated with the file's inode and are lost if the file is moved or copied without preserving attributes (e.g., use `cp -a` or `install -p`).
Requires kernel support for capabilities.
Improper use can still lead to security vulnerabilities; always apply the principle of least privilege by granting only the minimum necessary capabilities.

COMMON USE CASES

  • Allowing a web server (e.g., Nginx) to bind to a privileged port (e.g., 80) without running as root:
    `setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx`
  • Enabling a network utility (e.g., ping) to create raw sockets:
    `setcap 'cap_net_raw=+ep' /bin/ping`

CAPABILITY SETS (P, E, I)


p (Permitted): The capabilities that a thread can assert. This set defines the maximum capabilities a process can ever have.
e (Effective): The capabilities currently active and used by the thread for privileged operations. For file capabilities, these are immediately available upon execution.
i (Inheritable): Capabilities that are preserved across `execve` calls by non-root users. While set on files, their practical effect largely depends on the process's inheritable set. The most common combination for file capabilities is `+ep` for directly effective capabilities.

HISTORY

Linux capabilities were introduced in kernel 2.2 to provide a more granular privilege model, moving away from the all-or-nothing root paradigm. The libcap user-space library and associated utilities like setcap and getcap were developed to manage these new capabilities, allowing for fine-grained control over process and file privileges. This innovation significantly improved the security posture of Linux systems by enabling applications to operate with only the minimum required privileges.

SEE ALSO

getcap(8), cap_from_text(3), capabilities(7), chmod(1), chown(1)

Copied to clipboard