Unset `setcap` additional capabilities on executable

Question

An answer to the question "Allowing a regular user to listen to a port below 1024", specified giving an executable additional permissions using setcap such that the program could bind to ports smaller than 1024:

setcap 'cap_net_bind_service=+ep' /path/to/program

What is the correct way to undo these permissions?

score 36 · Accepted Answer · answered Aug 15 '16 at 01:41

36

To remove capabilities from a file use the -r flag

setcap -r /path/to/program

This will result in the program having no capabilities.

answered Aug 15 '16 at 01:41

Stephen Harris

42,369
5
94
123

Well, that was a lot more evident after re-reading that short `man` page >.> – user2943160 Aug 15 '16 at 02:07
1

How can I confirm that the `setcap -r` command worked as intended? – dotnetCarpenter Jan 28 '22 at 13:39
4

@dotnetCarpenter Use `getcap` – Stephen Harris Jan 31 '22 at 18:00

score 22 · Answer 2 · edited May 17 '23 at 11:58

What @stephen-harris posted is right. But it removes all capabilities added to the program in one shot. To remove a specific capability, this should work (following the example in the question):

setcap 'cap_net_bind_service=-ep' /path/to/program

Notice the '-' sign. You can verify the capabilities of an executable as follows:

getcap /path/to/program

In case of setcap -r, all capabilities will be gone and the result of getcap will be empty where as the '-ep' just removes what you added with '+ep'.

This comes in handy when you gave multiple capabilities and want to selectively remove them.

Unset `setcap` additional capabilities on executable

2 Answers2