使い方
setcap {capabilities|-r} filename
-rオプションは、file capability setを削除する。
The special capability string, '-r', is used to remove a capability set from a file. Note, setting an empty capability set is not the same as removing it. An empty set can be used to guarantee a file is not executed with privilege in spite of the fact that the prevailing ambient+inheritable sets would otherwise bestow capabilities on executed binaries.
setcapコマンドでのcapabilitiesの指定方法は、以下の構文に従う。詳しくは、cap_from_text(3)参照。
| name | syntax |
|---|---|
| $action | =+-{p|i|e}...|= |
| $clause | <cap name>[,<cap name>]...[$action]... |
| $caps | $clause[ $clause]... |
例
touch hoge
setcap "cap_kill+p" hoge
setcap "cap_net_raw,cap_kill+i cap_net_raw-i+p" hoge
getcap hoge
# hoge = cap_kill+i cap_net_raw+p
hoge = cap_kill+ip cap_net_raw+pでないことに注意。+-は同一のcapabilities指定内でのみ効力を持つ。