Quickly discover which POSIX capabilities a binary carries and why that matters for system security. 16.11.2025 | reading time: 2 min Capabilities let a program keep some root powers without running as root; getcap shows those powers on the filesystem level, so he can audit binaries quickly. A hands-on example Try this on a typical system to see capabilities in action. ```bash $ getcap /usr/bin/ping /usr/bin/ping = cap_net_raw+ep ``` If you want to scan a tree use recursion; here is a short sample of results. ```bash $ getcap -r /usr/bin | head -n 5 /usr/bin/ping = cap_net_raw+ep /usr/bin/traceroute6.iputils = cap_net_raw+ep /usr/lib/firefox/firefox = cap_ipc_lock+ep ``` What the output means The token after the equals sign lists capability names and flags: "e" is the effective set, "p" is permitted; seeing "cap_net_raw+ep" tells him the binary can open raw sockets without full root, which shapes threat models and packaging decisions. Practical tips and caveats Remember that capabilities are stored as the "security.capability" extended attribute on supported filesystems, and copying files can drop them unless he preserves xattrs; also some distributions wrap privileged actions with setuid instead of capabilities, so getcap may report nothing while the binary still runs as root. When to use getcap Use getcap during audits, packaging, or troubleshooting network utilities and custom daemons: list a single file to inspect it, scan directories to build an inventory, and verify expected capabilities after installing or updating software. Quick verification workflow If a service fails, he can check the binary with getcap, inspect running processes with getpcaps, and then adjust with setcap if needed; always test changes in a safe environment before deploying to production. Join Bits & Bytes Academy First class LINUX exam preparation. security filesystem utilities
