setcap, getcap)Linux capabilities allow granting specific privileges to executables without full root access, improving security over using setuid.
Traditionally, binaries required setuid root to perform privileged tasks. Capabilities allow splitting root powers into individual privileges, assigned as needed.
| Capability | Purpose |
|---|---|
cap_net_bind_service |
Bind to ports < 1024 |
cap_net_admin |
Network interface configuration |
cap_sys_time |
Set system clock |
cap_dac_override |
Ignore file permission checks |
cap_chown |
Change file ownership |
getcap — View File CapabilitiesSyntax:
getcap [file]
Example:
getcap /usr/bin/ping
Output:
/usr/bin/ping = cap_net_raw+ep
setcap — Assign CapabilitiesSyntax:
setcap [capability]=[flags] [file]
Flags:
e = Effectivep = Permittedi = InheritableExamples:
setcap cap_net_bind_service=+ep ./myserver # Allow binding to port 80
setcap cap_net_raw+p /usr/bin/ping # Enable raw sockets
setcap -r [file]
Example:
setcap -r ./myserver
| Flag | Meaning |
|---|---|
e |
Active when the file runs |
p |
Allowed to be used |
i |
Inherited by child processes |
Most use cases work with +ep (Effective + Permitted).
ext4, xfs, etc.).setuid and using capabilities is more secure.getcap -r / to recursively list all capabilities.# Compile a simple TCP server
gcc server.c -o myserver
# Allow binding to port 80
setcap cap_net_bind_service=+ep ./myserver
# Run as normal user
./myserver
Now your program can bind to port 80 without sudo or setuid.
setcap -r ./myserver
This removes the granted capability.
| Command | Description |
|---|---|
getcap file |
Show capabilities on file |
setcap cap=+ep file |
Add capability to a file |
setcap -r file |
Remove capabilities |
File capabilities offer a fine-grained security model, allowing specific privileges without full root access. Use them to harden scripts and binaries safely.