Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ setcap(1M) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

getcap(1)

secstat(1)



setcap(1M)               DG/UX B2 Security R4.12MU02              setcap(1M)


NAME
       setcap - set capability state

SYNOPSIS
       setcap [-alqr] [-d flagspec] [-i state] ... [-I statefile] ...
       [-o objecttype] [target ...]

       setcap [-alqr] [-o objecttype] state [target ...]

       setcap [-q] [-e on | off ] [-c on | off ] [-o p [target ...]]

   where:
       state        A partial or complete capability state.  The format of
                    state is the same whether or not the -i option is
                    specified.

       statefile   is a file containing a partial or complete capability
                    state.  See the description of the -i option for the
                    format of the contents of statefile.  flagspec a list
                    of capability set flags.

       objecttype  The object type of the specified objects.

       target       The name(s) (object name or pid) of the target whose
                    capability state setcap tries to set.

DESCRIPTION
       The setcap command sets the capability state on an object or a
       process.  If multiple -i, -I and/or -d options are specified, the
       operations will be performed in the order specified.  The invoker
       must have appropriate privilege.

   Options
       -a     Set the capability states of files beginning with a "." when
              used with the -r option.  The "." and ".." directory entries
              are always ignored.

       -q     Do not write diagnostic messages.  The usage error message is
              always written.

       -l     If target is a symbolic link, operate on the link.  The
              default behavior is to operate on the object that the link
              references.

       -r     Recursively descend through directory file objects, setting
              the capability state for each file object.

       -o objecttype
              Specify the type of the object arguments.  If you specify -o
              objecttype but omit object, setcap uses the default objects
              listed below.  The values for objecttype, the objects
              associated with them, and the specification format for the
              objects are also listed below.

              Value  Object         Format            Default

              f      file           filename          Working directory (.)
              p      process        pid number        The invoking process ID
              m      shared memory  shared memory ID  0
              s      semaphore      semaphore set ID  0
              q      message queue  message queue ID  0


              If you omit -o objecttype and specify one or more objects,
              the default object type is f (file).  If you specify neither
              -o nor object, setcap sets the capability state of the
              invoking process.

              Note that UNIX®-domain sockets are file objects.

       -d flagspec
              Remove the capability sets specified in flagspec from the
              specified targets.  flagspec contains one or more of:
              b      Specifies the bounding capability set.
              e      Specifies the effective capability set.
              i      Specifies the inheritable capability set.
              p      Specifies the permitted capability set.
              r      Specifies the required capability set.
       To remove all capability sets, specify all.  The -d option is only
       valid when operating on nonprocess targets.  If a target already does
       not have any of the specified sets, the command will continue
       processing without generating an error.

       -i state
              Set or amend the capability state of target(s) to the partial
              or complete capability state specified by state.  The format
              of state is:

              1)  A combination of valid caplist, capset, and/or capclass
                  aliases or definitions from the alias definition file
                  /etc/tcb/cap/capaliasdefs.  This type of specification
                  will replace the value of any capability set specified in
                  state on the target(s) with the value of that set as
                  specified in state.

              2)  A valid specification as described in 1, above, with a "+"
                  or "-" in front of the capability set qualifier ("bound",
                  "effect", ...).  This type of specification will enable
                  (+) or disable (-) the specified capabilities from the
                  specified sets of the target(s).  Whenever you use "+" or
                  "-" you need to surround the state with parenthesis (and
                  quotes if not using -I) and make sure the "+" or "-" is
                  inside these parenthesis.

       -I statefile
              Set or amend the capability state of target(s) to the partial
              or complete capability state specified in the file statefile.
              The format of statefile is the format specified in the
              description of the -i option.  Newlines are ignored.

       -e on|off
              Turn the process Set Effective Attribute on or off.  The -e
              option is only valid with targets which are processes.

       -c on|off
              Turn the process or object Allow Child Setcap (ACS) attribute
              on or off.  The ACS is inherited across a call to fork(2), and
              is changed only through a call to exec(2).  When exec(2) is
              applied to an object, the caller's ACS is initialized to the
              value of the object's ACS, or to off if the object has no
              capability state.  A process may alter the capability state of
              another process under one of two conditions:  1) the process
              is a direct child of the target process, and the target has
              its ACS flag on, or 2) the requesting process has appropriate
              privilege.

EXAMPLES
       setcap -i "(bound:BOUNDINGALIAS;effect:EFFECTIVEALIAS)" -I \
       capstate foobar

              Replace the bounding capability set of foobar with the
              capability set specified by "BOUNDING_ALIAS," replace the
              effective capability set of foobar with "EFFECTIVE_ALIAS," and
              modify any capability sets of foobar specified in the file
              capstate as appropriate (could be replacements, additions or
              subtractions).

       setcap "(+bound:BOUNDINGALIAS;-effect:EFFECTIVEALIAS;inherit:\
       INHERITALIAS)"

              Enable the capabilities specified in "BOUNDING_ALIAS" in the
              bounding capability set of the current process, disable the
              capabilities specified in "EFFECTIVE_ALIAS" in the effective
              capability set of the current process, and replace the
              inheritable capability set of the current process with the
              capability set specified by "INHERITABLE_ALIAS."

       setcap "(+INCREASEBOUNDING)" foobar

              Assume that in /etc/tcb/cap/capaliasdefs the alias
              INCREASE_BOUNDING is defined as "bound:(CAP1)."  This example
              will enable CAP1 in the bounding capability state of foobar.

FILES
       /etc/tcb/cap/capaliasdefs
       /etc/tcb/aa/cap/setpermittedcaps

DIAGNOSTICS
       Setcap writes all diagnostic messages to stderr.

       The setcap command exits with one of the following values:

       0      The capability states were successfully set on all specified
              files.

       1      Capability is not supported on this system.

       2      setcap could not set the capability state on at least one of
              the specified targets.

       3      setcap usage is wrong.

SEE ALSO
       getcap(1), secstat(1), dggetcap(2), dgsetcap(2),
       dggetrequiredcap(2), dgsetrequiredcap(2), caplibrary(3),
       capaliasdefs(4M), capdefaults(5).

NOTES
       You must have appropriate privilege to enable some capabilities.
       (See the appropriateprivilege(5) man page for more information.)
       Appropriate privilege is defined as having one or more specific
       capabilities enabled in the effective capability set of the user.
       You do not need any special capabilities to invoke the setcap command
       in general, as the setcap executable will grant you the capabilities
       you need.  However, see the dgsetcap(2) manual page for special
       capabilities that must be enabled in your effective set to augment
       certain capability sets under certain circumstances.  Each user
       (based on AUTHID) is allowed to enable only certain capabilities in
       the permitted set of any nonprocess target, regardless of the
       capabilities enabled in one's effective set.  setcap determines this
       set of capabilities by referencing the set_permitted_caps database,
       /etc/tcb/aa/cap/setpermittedcaps.


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026