When using setcap, where is the permission stored?

Using setcap to give additional permissions to a binary should write the new permission somewhere, on storage or in memory, where is it stored ?

Using lsof as is doesn’t work because the process disappear too quickly.

Asked By: Zulgrib


setcap sets file capabilities which are stored in filesystem extended attribute. These are explained in man 7 capabilities:

The file capability sets are stored in an extended attribute (see setxattr(2)) named security.capability.

You can inspect the capabilities of a running process by examining CapInh/CapPrm/CapEff fields in /proc/PID/status. See my answer to “How to set capabilities with setcap command?” for explanation on how the capabilities are applied to process at exec.

Answered By: sebasth

Extended permissions such as access control lists set by setfacl and capability flags set by setcap are stored in the same place as traditional permissions and set[ug]id flags set by chmod: in the file’s inode.

(They may actually be stored in a separate block on the disk, because an inode has a fixed size which has room for the traditional permission bits but not for the potentially unbounded extended permissions. But that only matters in rare cases, such as having to care that setcap could run out of disk space. But even chmod could run out of disk space on a system that uses deduplication!)

GNU ls doesn’t display a file’s setcap attributes. You can display them with getcap. You can list all the extended attributes with getfattr -d -m -; the setcap attribute is called security.capability and it is encoded in a binary format which getcap decodes for you.

Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.