← 返回命令列表

Linux command

capabilities 命令

文本

复制后可按需替换文件名、目录或参数。

常用示例

View capabilities of an executable

getcap [/path/to/binary]

View capabilities recursively in a directory

getcap -r [/path/to/directory]

Set a capability on an executable

sudo setcap cap_net_bind_service=+ep [/path/to/binary]

Remove all capabilities from an executable

sudo setcap -r [/path/to/binary]

View current process capabilities

grep Cap /proc/self/status

Decode capability hex values

capsh --decode=[hex_value]

Print current shell capabilities

capsh --print

说明

Linux capabilities divide the privileges traditionally held by root into distinct units that can be independently granted to executables. Starting with kernel 2.2, instead of running an entire program as root, specific capabilities allow granting only the permissions needed. For example, a web server that needs to bind to port 80 can be given only cap_net_bind_service instead of full root access. This follows the principle of least privilege, limiting damage from security vulnerabilities. Capabilities exist in three sets per thread: permitted (maximum capabilities available), effective (currently active for permission checks), and inheritable (preserved across execve). File capabilities are stored in extended attributes and control which capabilities are gained when a binary is executed. The libcap library provides user-space tools and APIs for managing capabilities, including getcap, setcap, and capsh.

参数

getcap -r _directory_
Recursively search for files with capabilities.
getcap -v
Verbose output, display all searched files even without capabilities.
setcap _cap=flags_ _file_
Set capability (flags: e=effective, p=permitted, i=inheritable). Use + to add, - to remove.
setcap -r _file_
Remove all capabilities from a file.
setcap -q
Quiet mode, suppress warnings.
capsh --print
Print current capabilities and securebits.
capsh --decode _hex_
Decode capability bitmask into human-readable names.
capsh --drop _cap_
Drop a capability from the bounding set.
capsh --caps=_cap-set_
Set the prevailing process capabilities.
capsh --keep=_0|1_
Set the keep-capabilities flag (0=off, 1=on).

FAQ

What is the capabilities command used for?

Linux capabilities divide the privileges traditionally held by root into distinct units that can be independently granted to executables. Starting with kernel 2.2, instead of running an entire program as root, specific capabilities allow granting only the permissions needed. For example, a web server that needs to bind to port 80 can be given only cap_net_bind_service instead of full root access. This follows the principle of least privilege, limiting damage from security vulnerabilities. Capabilities exist in three sets per thread: permitted (maximum capabilities available), effective (currently active for permission checks), and inheritable (preserved across execve). File capabilities are stored in extended attributes and control which capabilities are gained when a binary is executed. The libcap library provides user-space tools and APIs for managing capabilities, including getcap, setcap, and capsh.

How do I run a basic capabilities example?

Run `getcap [/path/to/binary]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does getcap -r _directory_ do in capabilities?

Recursively search for files with capabilities.