Are setcap-changes permanent

Question

When using setcap for a file, is this change permanent or do I have to invoke setcap somewhere at boot time?

setcap cap_sys_nice fooexecutable

score 21 · Accepted Answer · edited Jan 15 '20 at 05:33

21

The setcap on the file stores the capabilities in an extended attribute with a call to setxattr. This extended attribute is stored like other attributes (ownership, rights...) in the filesystem.

Since kernel 2.6.24, the kernel supports associating capability sets with an executable file using setcap(8). The file capability sets are stored in an extended attribute (see setxattr(2)) named security.capability.

So, you don't have to reset your cap on each reboot.

edited Jan 15 '20 at 05:33

Richard Fearn

103
4

answered Jan 04 '12 at 08:36

Cédric Julien

2,797
1
26
31

what about if the file is replaced? – ryanwinchester Oct 02 '17 at 08:57
1

@ryanwinchester if only the content of the file is changed, no problem, but if the file is removed/recreated, the setcap capacity will be removed too. – Cédric Julien Oct 02 '17 at 08:58
:( ah, so that's my problem. i have a script that rebuilds a directory and then starts a server listening on port 80. i need to figure out a way to not have to run `setcap` every time – ryanwinchester Oct 02 '17 at 09:06
"if only the content of the file is changed, no problem" is not true. Changing the content of a file will cause its capabilities to be removed. See https://unix.stackexchange.com/a/283408/2526 – Richard Fearn Jan 14 '20 at 18:12

score 0 · Answer 2 · answered Dec 12 '18 at 03:51

0

The changes are permanent but I have experienced issues when used with nodejs.

You can use authbind to provide permission by user

sudo touch /etc/authbind/byport/80
sudo chown user:user /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80

answered Dec 12 '18 at 03:51

pcnate

473
1
5
12

Are setcap-changes permanent

2 Answers2