getcap(1) DG/UX B2 Security R4.12MU02 getcap(1)
NAME
getcap - display capability state
SYNOPSIS
getcap [-alnpqr] [-t l] [-f | -m | -M flagspec | -s flagspec]
[-o objecttype] [object ...]
getcap [-qn] [-t l] [-f | -m | -M flagspec | -s flagspec]
[subject ...]
getcap [-qn] -e [-o p [subject ...]]
where:
flagspec A list of capability set flags
objecttype The type of object whose capability state getcap
displays
object The object(s) whose capability state getcap displays
subject The subject(s) (process id) whose capability state
getcap displays
DESCRIPTION
The getcap command displays capability states of objects or
processes.
Options
-a Display the capability states of files beginning with a "."
when used with the -r option.
-l If target is a symbolic link, operate on the link. The
default behavior is to operate on the object that the link
references.
-n Display information in a format suitable for use by setcap
with the -I option.
-p Display absolute pathnames of file objects.
-q Behave quietly; do not write diagnostic messages. The usage
error message is always written.
-r Recursively descend through directory file objects, displaying
the capability states for each file object.
-e Report only the status of the Set Effective Attribute of the
subject. No capability set information will be displayed.
getcap displays the status of the Set Effective Attribute of
the subject by default even if -e is not specified.
-t l Indicate the type of alias printing desired. -tl causes the
long form of the capability alias name to be displayed. The
default is to display the short form, if one exists.
-f For each capability defined on the system, list the capability
name and the capability sets for which the capability is
enabled where:
b Specifies the bounding capability set.
e Specifies the effective capability set.
i Specifies the inheritable capability set.
p Specifies the permitted capability set.
r Specifies the required capability set.
-m Produce output like that of the -f option but only list those
capabilities which are enabled in at least one set.
-M flagspec
Produce output like that of the -f option but only list those
capabilities that have are enabled in at least one of the sets
specified in flagspec. flagspec contains one or more of the
character(s) outlined in the description of the -f option.
Additionally, flagspec can be specified as all, in which case
the behavior will be the same as the -m option.
-s flagspec
For each capability set specified in flagspec, list the
capability set name and the value of that set. flagspec
contains one or more of the character(s) outlined in the
description of the -f option. Additionally, flagspec can be
specified as all, in which case getcap reports on all the
capability sets of the target(s).
-o objecttype
Specify the type of object arguments. If you specify -o
objecttype but omit object, getcap uses the default objects
listed below. The values for objecttype, the objects
associated with them, and the specification format for the
objects are also listed below.
Value Object Format Default
f file filename Working directory (.)
p process pid number The invoking process ID
m shared memory shared memory ID 0
s semaphore semaphore set ID 0
q message queue message queue ID 0
Note that UNIX®-domain sockets are file objects.
If you omit -o objecttype and specify one or more objects, the
default object type is f (file). If you invoke getcap with neither
-o nor object, getcap displays the capability state of the invoking
process.
Capability State Format
By default, getcap displays the capability state of an object in the
following format:
objectname:
capabilitystatealias
There is a separate objectname for each objecttype:
Object type Format
f filename
p pid: pidnumber
capabilitystatealias is the external text representation of the
capability state as defined in the file /etc/tcb/cap/capaliasdefs.
See capaliasdefs(4M) for a complete description of the
capabliitystatealias format.
EXAMPLES
To display the state of the current process (the shell invoking the
getcap command):
% getcap <NL>
(DEFAULT_USER)
SEA = on
ACS = on
%
To display the capability state of /etc/mount:
% getcap /etc/mount <NL>
/etc/mount:
(permitted:( DG_CAP_ADMIN_NET, DG_CAP_MAC_WRITE_VP_TCB_DATA ))
ACS = off
%
%
%
Here, SEA refers to the Set Effective Attribute, and ACS refers to
the Allow Child Setcap attribute. For an explanation of the ACS
attribute, see the setcap(1m) man page.
FILES
/etc/tcb/cap/capaliasdefs
DIAGNOSTICS
Getcap writes all diagnostic messages to stderr.
The getcap command exits with one of the following values:
0 The capability states associated with all specified targets
were successfully reported.
1 Capability is not supported on this system.
2 getcap could not report a capability state.
3 getcap usage is wrong.
SEE ALSO
setcap(1M), dggetcap(2), dgsetcap(2), dggetrequiredcap(2),
dgsetrequiredcap(2), caplibrary(3), capaliasdefs(4M),
capdefaults(5).
NOTES
By default, getcap reports the capability state of the invoking
process, i.e. the invoking shell. This is accomplished by having
getcap report the capability state of its parent process. However,
if the output of getcap is passed into a pipe, its parent process
will not be the invoking shell. If you use a pipe to redirect the
standard output of the getcap command and you are trying to get the
capability state of the invoking process, you are required to specify
a pid with the -o p option. You can use the $$ environment variable
to specify the current process:
% getcap -op $$ | more
Licensed material--property of copyright holder(s)