CHCAP(1)                                                              CHCAP(1)


NAME
     chcap - change file capability sets

SYNOPSIS
     chcap [ capsets | -r ] pathname ...

DESCRIPTION
     chcap changes the effective, permitted, and inheritable capability sets
     of the specified file(s) or removes them.  A file's capability sets
     affect the capabilities that are assigned to a process upon execution of
     the file.  For a more complete description of the capability mechanism,
     see capabilities(4).

     capsets is a string that describes the changes to the file capability
     sets.  It is comprised of one or more capability lists.  Each capability
     list has the form:

                              capname[,capname...]OF

     where capname is a capability name (e.g., CAP_DAC_READ, CAP_DAC_WRITE,
     CAP_CHOWN, etc.).  The capability name ALL indicates all capabilities.
     Capability names may be expressed in either upper or lower case.  For a
     complete description of available capability names, see capabilities(4).

     F is a sequence of one or more flags chosen from "e", "i", "p" indicating
     which file capability sets are to be affected.  "e" indicates the
     effective capability set, "p" the permitted capability set, and "i" the
     inherited capability set.

     O is the operation chosen from "=","+","-", indicating to initialize,
     add, or delete the specified capabilities in the affected capability
     sets.

     If multiple capability lists are specified in capsets, each capability
     list must be separated by white space, and the entire capsets string must
     be escaped from shell interpretation (i.e. enclosed in quotes).

     Specifying all= as a prefix within the capsets string clears all current
     capability sets prior to processing the remainder of the string.

     The capability sets of a file can be displayed using the ls(1) -P option.

     The -r option is used to entirely remove all capability sets on the
     specified files.

EXAMPLES
     chcap CAP_DAC_WRITE-p file
     Removes CAP_DAC_WRITE from the file's permitted capability set.

     chcap CAP_DAC_WRITE=p file
     Initializes the file's permitted capability set to contain only
     CAP_DAC_WRITE.


     chcap "all= CAP_DAC_WRITE=p" file
     Clears all of the file's capability sets, and initializes the file's
     permitted capability set to contain only CAP_DAC_WRITE.

     chcap CAP_CHOWN+p file
     Adds CAP_CHOWN to the file's permitted capability set.

     chcap "CAP_DAC_READ+pi CAP_DAC_WRITE+p" file
     Adds CAP_DAC_READ and CAP_DAC_WRITE to file's the permitted capability
     set, and adds CAP_DAC_READ to the file's inherited capability set.

     chcap -r file
     Removes the capability sets on the file.

SEE ALSO
     capabilities(4), capability(4), ls(1).


                                                                        Page 2