setcap(1M) DG/UX B2 Security R4.12MU02 setcap(1M)
NAME
setcap - set capability state
SYNOPSIS
setcap [-alqr] [-d flagspec] [-i state] ... [-I statefile] ...
[-o objecttype] [target ...]
setcap [-alqr] [-o objecttype] state [target ...]
setcap [-q] [-e on | off ] [-c on | off ] [-o p [target ...]]
where:
state A partial or complete capability state. The format of
state is the same whether or not the -i option is
specified.
statefile is a file containing a partial or complete capability
state. See the description of the -i option for the
format of the contents of statefile. flagspec a list
of capability set flags.
objecttype The object type of the specified objects.
target The name(s) (object name or pid) of the target whose
capability state setcap tries to set.
DESCRIPTION
The setcap command sets the capability state on an object or a
process. If multiple -i, -I and/or -d options are specified, the
operations will be performed in the order specified. The invoker
must have appropriate privilege.
Options
-a Set the capability states of files beginning with a "." when
used with the -r option. The "." and ".." directory entries
are always ignored.
-q Do not write diagnostic messages. The usage error message is
always written.
-l If target is a symbolic link, operate on the link. The
default behavior is to operate on the object that the link
references.
-r Recursively descend through directory file objects, setting
the capability state for each file object.
-o objecttype
Specify the type of the object arguments. If you specify -o
objecttype but omit object, setcap uses the default objects
listed below. The values for objecttype, the objects
associated with them, and the specification format for the
objects are also listed below.
Value Object Format Default
f file filename Working directory (.)
p process pid number The invoking process ID
m shared memory shared memory ID 0
s semaphore semaphore set ID 0
q message queue message queue ID 0
If you omit -o objecttype and specify one or more objects,
the default object type is f (file). If you specify neither
-o nor object, setcap sets the capability state of the
invoking process.
Note that UNIX®-domain sockets are file objects.
-d flagspec
Remove the capability sets specified in flagspec from the
specified targets. flagspec contains one or more of:
b Specifies the bounding capability set.
e Specifies the effective capability set.
i Specifies the inheritable capability set.
p Specifies the permitted capability set.
r Specifies the required capability set.
To remove all capability sets, specify all. The -d option is only
valid when operating on nonprocess targets. If a target already does
not have any of the specified sets, the command will continue
processing without generating an error.
-i state
Set or amend the capability state of target(s) to the partial
or complete capability state specified by state. The format
of state is:
1) A combination of valid caplist, capset, and/or capclass
aliases or definitions from the alias definition file
/etc/tcb/cap/capaliasdefs. This type of specification
will replace the value of any capability set specified in
state on the target(s) with the value of that set as
specified in state.
2) A valid specification as described in 1, above, with a "+"
or "-" in front of the capability set qualifier ("bound",
"effect", ...). This type of specification will enable
(+) or disable (-) the specified capabilities from the
specified sets of the target(s). Whenever you use "+" or
"-" you need to surround the state with parenthesis (and
quotes if not using -I) and make sure the "+" or "-" is
inside these parenthesis.
-I statefile
Set or amend the capability state of target(s) to the partial
or complete capability state specified in the file statefile.
The format of statefile is the format specified in the
description of the -i option. Newlines are ignored.
-e on|off
Turn the process Set Effective Attribute on or off. The -e
option is only valid with targets which are processes.
-c on|off
Turn the process or object Allow Child Setcap (ACS) attribute
on or off. The ACS is inherited across a call to fork(2), and
is changed only through a call to exec(2). When exec(2) is
applied to an object, the caller's ACS is initialized to the
value of the object's ACS, or to off if the object has no
capability state. A process may alter the capability state of
another process under one of two conditions: 1) the process
is a direct child of the target process, and the target has
its ACS flag on, or 2) the requesting process has appropriate
privilege.
EXAMPLES
setcap -i "(bound:BOUNDINGALIAS;effect:EFFECTIVEALIAS)" -I \
capstate foobar
Replace the bounding capability set of foobar with the
capability set specified by "BOUNDING_ALIAS," replace the
effective capability set of foobar with "EFFECTIVE_ALIAS," and
modify any capability sets of foobar specified in the file
capstate as appropriate (could be replacements, additions or
subtractions).
setcap "(+bound:BOUNDINGALIAS;-effect:EFFECTIVEALIAS;inherit:\
INHERITALIAS)"
Enable the capabilities specified in "BOUNDING_ALIAS" in the
bounding capability set of the current process, disable the
capabilities specified in "EFFECTIVE_ALIAS" in the effective
capability set of the current process, and replace the
inheritable capability set of the current process with the
capability set specified by "INHERITABLE_ALIAS."
setcap "(+INCREASEBOUNDING)" foobar
Assume that in /etc/tcb/cap/capaliasdefs the alias
INCREASE_BOUNDING is defined as "bound:(CAP1)." This example
will enable CAP1 in the bounding capability state of foobar.
FILES
/etc/tcb/cap/capaliasdefs
/etc/tcb/aa/cap/setpermittedcaps
DIAGNOSTICS
Setcap writes all diagnostic messages to stderr.
The setcap command exits with one of the following values:
0 The capability states were successfully set on all specified
files.
1 Capability is not supported on this system.
2 setcap could not set the capability state on at least one of
the specified targets.
3 setcap usage is wrong.
SEE ALSO
getcap(1), secstat(1), dggetcap(2), dgsetcap(2),
dggetrequiredcap(2), dgsetrequiredcap(2), caplibrary(3),
capaliasdefs(4M), capdefaults(5).
NOTES
You must have appropriate privilege to enable some capabilities.
(See the appropriateprivilege(5) man page for more information.)
Appropriate privilege is defined as having one or more specific
capabilities enabled in the effective capability set of the user.
You do not need any special capabilities to invoke the setcap command
in general, as the setcap executable will grant you the capabilities
you need. However, see the dgsetcap(2) manual page for special
capabilities that must be enabled in your effective set to augment
certain capability sets under certain circumstances. Each user
(based on AUTHID) is allowed to enable only certain capabilities in
the permitted set of any nonprocess target, regardless of the
capabilities enabled in one's effective set. setcap determines this
set of capabilities by referencing the set_permitted_caps database,
/etc/tcb/aa/cap/setpermittedcaps.
Licensed material--property of copyright holder(s)