Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ getcap(1) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

setcap(1M)



getcap(1)                DG/UX B2 Security R4.12MU02               getcap(1)


NAME
       getcap - display capability state

SYNOPSIS
       getcap [-alnpqr] [-t l] [-f | -m | -M flagspec | -s flagspec]
              [-o objecttype] [object ...]

       getcap [-qn] [-t l] [-f | -m | -M flagspec | -s flagspec]
              [subject ...]

       getcap [-qn] -e [-o p [subject ...]]

   where:
       flagspec    A list of capability set flags
       objecttype  The type of object whose capability state getcap
                    displays
       object       The object(s) whose capability state getcap displays
       subject      The subject(s) (process id) whose capability state
                    getcap displays

DESCRIPTION
       The getcap command displays capability states of objects or
       processes.

   Options
       -a     Display the capability states of files beginning with a "."
              when used with the -r option.

       -l     If target is a symbolic link, operate on the link.  The
              default behavior is to operate on the object that the link
              references.

       -n     Display information in a format suitable for use by setcap
              with the -I option.

       -p     Display absolute pathnames of file objects.

       -q     Behave quietly; do not write diagnostic messages.  The usage
              error message is always written.

       -r     Recursively descend through directory file objects, displaying
              the capability states for each file object.

       -e     Report only the status of the Set Effective Attribute of the
              subject.  No capability set information will be displayed.
              getcap displays the status of the Set Effective Attribute of
              the subject by default even if -e is not specified.

       -t l   Indicate the type of alias printing desired.  -tl causes the
              long form of the capability alias name to be displayed.  The
              default is to display the short form, if one exists.

       -f     For each capability defined on the system, list the capability
              name and the capability sets for which the capability is
              enabled where:
              b      Specifies the bounding capability set.
              e      Specifies the effective capability set.
              i      Specifies the inheritable capability set.
              p      Specifies the permitted capability set.
              r      Specifies the required capability set.

       -m     Produce output like that of the -f option but only list those
              capabilities which are enabled in at least one set.

       -M flagspec
              Produce output like that of the -f option but only list those
              capabilities that have are enabled in at least one of the sets
              specified in flagspec.  flagspec contains one or more of the
              character(s) outlined in the description of the -f option.
              Additionally, flagspec can be specified as all, in which case
              the behavior will be the same as the -m option.

       -s flagspec
              For each capability set specified in flagspec, list the
              capability set name and the value of that set.  flagspec
              contains one or more of the character(s) outlined in the
              description of the -f option.  Additionally, flagspec can be
              specified as all, in which case getcap reports on all the
              capability sets of the target(s).

       -o objecttype
              Specify the type of object arguments.  If you specify -o
              objecttype but omit object, getcap uses the default objects
              listed below.  The values for objecttype, the objects
              associated with them, and the specification format for the
              objects are also listed below.

              Value  Object         Format            Default

              f      file           filename          Working directory (.)
              p      process        pid number        The invoking process ID
              m      shared memory  shared memory ID  0
              s      semaphore      semaphore set ID  0
              q      message queue  message queue ID  0

              Note that UNIX®-domain sockets are file objects.

       If you omit -o objecttype and specify one or more objects, the
       default object type is f (file).  If you invoke getcap with neither
       -o nor object, getcap displays the capability state of the invoking
       process.

   Capability State Format
       By default, getcap displays the capability state of an object in the
       following format:

            objectname:
            capabilitystatealias

       There is a separate objectname for each objecttype:

            Object type  Format

            f            filename
            p            pid: pidnumber

       capabilitystatealias is the external text representation of the
       capability state as defined in the file /etc/tcb/cap/capaliasdefs.
       See capaliasdefs(4M) for a complete description of the
       capabliitystatealias format.

EXAMPLES
       To display the state of the current process (the shell invoking the
       getcap command):

       % getcap <NL>
       (DEFAULT_USER)
       SEA =         on
       ACS =         on
       %

       To display the capability state of /etc/mount:

       % getcap /etc/mount <NL>
       /etc/mount:
       (permitted:( DG_CAP_ADMIN_NET, DG_CAP_MAC_WRITE_VP_TCB_DATA ))
       ACS =         off
       %
       %
       %

       Here, SEA refers to the Set Effective Attribute, and ACS refers to
       the Allow Child Setcap attribute.  For an explanation of the ACS
       attribute, see the setcap(1m) man page.

FILES
       /etc/tcb/cap/capaliasdefs

DIAGNOSTICS
       Getcap writes all diagnostic messages to stderr.

       The getcap command exits with one of the following values:
            0    The capability states associated with all specified targets
                 were successfully reported.
            1    Capability is not supported on this system.
            2    getcap could not report a capability state.
            3    getcap usage is wrong.

SEE ALSO
       setcap(1M), dggetcap(2), dgsetcap(2), dggetrequiredcap(2),
       dgsetrequiredcap(2), caplibrary(3), capaliasdefs(4M),
       capdefaults(5).

NOTES
       By default, getcap reports the capability state of the invoking
       process, i.e. the invoking shell.  This is accomplished by having
       getcap report the capability state of its parent process.  However,
       if the output of getcap is passed into a pipe, its parent process
       will not be the invoking shell.  If you use a pipe to redirect the
       standard output of the getcap command and you are trying to get the
       capability state of the invoking process, you are required to specify
       a pid with the -o p option.  You can use the $$ environment variable
       to specify the current process:

       % getcap -op $$ | more


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026