.\"
.\" $Id: setcap.8,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $
.\"
.TH SETCAP 8 "11 September 2018"
.SH NAME
setcap \- set file capabilities
.SH SYNOPSIS
\fBsetcap\fP [-q] [-n <rootid>] [-v] {\fIcapabilities|-|-r} filename\fP [ ... \fIcapabilitiesN\fP \fIfileN\fP ]
.SH DESCRIPTION
In the absence of the
.B -v
(verify) option
.B setcap
sets the capabilities of each specified
.I filename
to the
.I capabilities
specified.  The optional
.B -n <rootid>
argument can be used to set the file capability for use only in a
namespace with this rootid owner. The
.B -v
option is used to verify that the specified capabilities are currently
associated with the file. If -v and -n are supplied, the
.B -n <rootid>
argument is also verified.
.PP
The
.I capabilities
are specified in the form described in
.IR cap_from_text (3).
.PP
The special capability string,
.BR '-' ,
can be used to indicate that capabilities are read from the standard
input. In such cases, the capability set is terminated with a blank
line.
.PP
The special capability string,
.BR '-r' ,
is used to remove a capability set from a file. Note, setting an empty
capability set is
.B not the same
as removing it. An empty set can be used to guarantee a file is not
executed with privilege inspite of the fact that the prevailing
ambient+inheritable sets would otherwise bestow capabilities on
executed binaries.
.PP
The
.B -q
flag is used to make the program less verbose in its output.
.SH "EXIT CODE"
The
.B setcap
program will exit with a 0 exit code if successful. On failure, the
exit code is 1.
.SH "SEE ALSO"
.BR cap_from_text (3),
.BR cap_set_file (3),
.BR getcap (8)