.\" originally written by Andrew Main <zefram@dcs.warwick.ac.uk>
.TH GETCAP 8 "2021-08-29"
.SH NAME
getcap \- examine file capabilities
.SH SYNOPSIS
\fBgetcap\fP [\-v] [\-n] [\-r] [\-h] \fIfilename\fP [ ... ]
.SH DESCRIPTION
.B getcap
displays the name and capabilities of each specified file.
.SH OPTIONS
.TP 4
.B \-h
prints quick usage.
.TP 4
.B \-n
prints any non-zero user namespace root user ID value
found to be associated with
a file's capabilities.
.TP 4
.B \-r
enables recursive search.
.TP 4
.B \-v
display all searched entries, even if the have no file-capabilities.
.PP
NOTE: an
.I empty
value of
.B '='
is
.B not
equivalent to an omitted (or removed) capability on a
file. This is most significant with respect to the Ambient capability
vector, since a process with Ambient capabilities will lose them when
executing a file having
.B '='
capabilities, but will retain the Ambient inheritance of privilege
when executing a file with an omitted file capability. This special
.I empty
setting can be used to prevent a binary from executing with
privilege. For some time, the kernel honored this suppression for root
executing the file, but the kernel developers decided after a number
of years that this behavior was unexpected for the superuser and
reverted it just for that user identity. Suppression of root
privilege, for a process tree, is possible, using the
.BR capsh (1)
.B \-\-mode
option.
.TP 4
.IR filename
One file per line.
.SH "REPORTING BUGS"
Please report bugs via:
.TP
https://bugzilla.kernel.org/buglist.cgi?component=libcap&list_id=1090757
.SH "SEE ALSO"
.BR capsh (1),
.BR cap_get_file (3),
.BR cap_to_text (3),
.BR capabilities (7),
.BR user_namespaces (7),
.BR captree (8),
.BR getpcaps (8)
and
.BR setcap (8).