.TH SETCAP 8 "2020-08-29" .SH NAME setcap \- set file capabilities .SH SYNOPSIS \fBsetcap\fP [\-q] [\-n ] [\-v] {\fIcapabilities|\-|\-r} filename\fP [ ... \fIcapabilitiesN\fP \fIfileN\fP ] .SH DESCRIPTION In the absence of the .B \-v (verify) option .B setcap sets the capabilities of each specified .I filename to the .I capabilities specified. The optional .B \-n argument can be used to set the file capability for use only in a user namespace with this root user ID owner. The .B \-v option is used to verify that the specified capabilities are currently associated with the file. If \-v and \-n are supplied, the .B \-n argument is also verified. .PP The .I capabilities are specified in the form described in .BR cap_from_text (3). .PP The special capability string, .BR '\-' , can be used to indicate that capabilities are read from the standard input. In such cases, the capability set is terminated with a blank line. .PP The special capability string, .BR '\-r' , is used to remove a capability set from a file. Note, setting an empty capability set is .B not the same as removing it. An empty set can be used to guarantee a file is not executed with privilege in spite of the fact that the prevailing ambient+inheritable sets would otherwise bestow capabilities on executed binaries. .PP The .BR '\-f' , is used to force completion even when it is in some way considered an invalid operation. This can affect .B '\-r' and setting file capabilities the kernel will not be able to make sense of. .PP The .B \-q flag is used to make the program less verbose in its output. .SH "EXIT CODE" The .B setcap program will exit with a 0 exit code if successful. On failure, the exit code is 1. .SH "REPORTING BUGS" Please report bugs via: .TP https://bugzilla.kernel.org/buglist.cgi?component=libcap&list_id=1090757 .SH "SEE ALSO" .BR capsh (1), .BR cap_from_text (3), .BR cap_get_file (3), .BR capabilities (7), .BR user_namespaces (7), .BR captree (8), .BR getcap (8) and .BR getpcaps (8).