filecap - Linux

Overview

filecap is a command-line utility used to set or display capabilities for a specific file or directory. Capabilities are a mechanism in the Linux kernel that allows users to grant specific privileges to a process.

Syntax

filecap [-v] [-V] [-?] [-h] [-L] [-l] [-i] [-r] [-R] [-+p] [-=p] FILE...

Options/Flags

  • -v, --verbose: Display verbose output including granted capabilities, effective capabilities, and permission bits.
  • -V, --version: Display version information.
  • -?, --help: Display help information.
  • -h, --human-readable: Display capabilities in human-readable format.
  • -L, --list-available: List available capabilities.
  • -l, --list: List the capabilities for the given files.
  • -i, --inode: Display the inode number of the file.
  • -r, --recursive: Recursively apply the operation to all files and directories in the given directories.
  • -R, --remove-recursive: Recursively remove the specified capability from all files and directories in the given directories.
  • -+p, --set-effective-plus-p: Add the specified capability to the effective capabilities.
  • -=p, --set-effective-minus-p: Remove the specified capability from the effective capabilities.

Examples

Display file capabilities:

$ filecap -l /bin/bash
/bin/bash = cap_ipc_lock,cap_ipc_owner,cap_sys_resource,cap_net_bind_service,cap_setgid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid,cap_setuid

Set a capability:

$ sudo filecap -+cap_net_admin /tmp/myfile.txt

Recursively set a capability for all files in a directory:

$ sudo filecap -r -+cap_chown /dir/to/recurse

Remove a capability:

$ sudo filecap -=cap_setgid /tmp/myfile.txt

Common Issues

Permission denied: Ensure that you have sufficient permissions to modify file capabilities. Typically, this requires root privileges.

Integration

filecap can be integrated with other Linux commands to perform advanced tasks. For example, you can create scripts to automatically set capabilities for files created by a specific user or group.

Related Commands

  • getcap: Display capabilities for a file or process.
  • setcap: Set capabilities for a file or process.
  • capabilities: Show the capabilities available on the system.