2 .\" $Id: capget.2,v 1.4 1999/09/09 16:43:26 morgan Exp $
3 .\" written by Andrew Morgan <morgan@linux.kernel.org>
4 .\" may be distributed as per GPL
5 .\" Modified by David A. Wheeler <dwheeler@ida.org>
6 .\" Modified 2004-05-27, mtk
7 .\" Modified 2004-06-21, aeb
9 .TH CAPGET 2 2004-06-21 "Linux" "Linux Programmer's Manual"
11 capget, capset \- set/get capabilities
13 .B #undef _POSIX_SOURCE
15 .B #include <sys/capability.h>
17 .BI "int capget(cap_user_header_t " hdrp ", cap_user_data_t " datap );
19 .BI "int capset(cap_user_header_t " hdrp ", const cap_user_data_t " datap );
21 As of Linux 2.2, the power of the superuser (root) has been partitioned into
22 a set of discrete capabilities.
23 Every thread has a set of effective capabilities identifying
24 which capabilities (if any) it may currently exercise.
25 Every thread also has a set of inheritable capabilities that may be
28 call, and a set of permitted capabilities
29 that it can make effective or inheritable.
31 These two functions are the raw kernel interface for getting and
33 Not only are these system calls specific to Linux,
34 but the kernel API is likely to change and use of
35 these functions (in particular the format of the
37 types) is subject to change with each kernel revision.
39 The portable interfaces are
43 if possible you should use those interfaces in applications.
44 If you wish to use the Linux extensions in applications, you should
45 use the easier-to-use interfaces
50 Now that you have been warned, some current kernel details.
51 The structs are defined as follows.
55 #define _LINUX_CAPABILITY_VERSION 0x19980330
57 typedef struct __user_cap_header_struct {
62 typedef struct __user_cap_data_struct {
77 .B _LINUX_CAPABILITY_VERSION
78 when another version was specified.
80 The calls operate on the capabilities of the thread specified by the
84 when that is non-zero, or on the capabilities of the calling thread if
89 refers to a single-threaded process, then
91 can be specified as a traditional process ID;
92 operating on a thread of a multithreaded process requires a thread ID
93 of the type returned by
98 can also be: \-1, meaning perform the change on all threads except the
101 or a value less than \-1, in which case the change is applied
102 to all members of the process group whose ID is \-\fIpid\fP.
104 For details on the data, see
105 .BR capabilities (7).
107 On success, zero is returned.
108 On error, \-1 is returned, and
110 is set appropriately.
122 One of the arguments was invalid.
125 An attempt was made to add a capability to the Permitted set, or to set
126 a capability in the Effective or Inheritable sets that is not in the
130 The caller attempted to use
132 to modify the capabilities of a thread other than itself,
133 but lacked sufficient privilege; the
135 capability is required.
136 (A bug in kernels before 2.6.11 meant that this error could also
137 occur if a thread without this capability tried to change its
138 own capabilities by specifying the
140 field as a non-zero value (i.e., the value returned by
147 These system calls are Linux specific.
149 The portable interface to the capability querying and setting
150 functions is provided by the
152 library and is available from here:
154 .I ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs