The way capabilities work in Linux is documented in man 7 capabilities.

Processes' capabilities in the effective set are against which permission checks are done. File capabilities are used during an execv call (which happens when you want to run another program1) to calculate the new capability sets for the process.

Files have two sets for capabilities, permitted and inheritable and effective bit.

Processes have three capability sets: effective, permitted and inheritable. There is also a bounding set, which limits which capabilities may be added later to a process' inherited set and affects how capabilities are calculated during a call to execv. Capabilities can only be dropped from the bounding set, not added.

Permissions checks for a process are checked against the process' effective set. A process can raise its capabilities from the permitted to the effective set (using capget and capset syscalls, the recommended APIs are respectively cap_get_proc and cap_set_proc).

Inheritable and bounding sets and file capabilities come into play during an execv syscall. During execv, new effective and permitted sets are calculated and the inherited and bounding sets stay unchanged. The algorithm is described in the capabilities man page:

P'(permitted) = (P(inheritable) & F(inheritable)) |
                (F(permitted) & cap_bset)

P'(effective) = F(effective) ? P'(permitted) : 0

P'(inheritable) = P(inheritable)    [i.e., unchanged]

Where P is the old capability set, P' is the capability set after execv and F is the file capability set.

If a capability is in both processes' inheritable set and the file's inheritable set (intersection/logical AND), it is added to the permitted set. The file's permitted set is added (union/logical OR) to it (if it is within the bounding set).

If the effective bit in file capabilities is set, all permitted capabilities are raised to effective after execv.

Capabilities in kernel are actually set for threads, but regarding file capabilities this distinction is usually relevant only if the process alters its own capabilities.

In your example capabilities cap_net_raw , cap_net_admin and cap_dac_override are added to the inherited and permitted sets and the effective bit is set. When your binary is executed, the process will have those capabilities in the effective and permitted sets if they are not limited by a bounding set.

[1] For the fork syscall, all the capabilities and the bounding set are copied from parent process. Changes in uid also have their own semantics for how capabilities are set in the effective and permitted sets.

Answer from sebasth on Stack Exchange
🌐
Ubuntu
manpages.ubuntu.com › focal › man(8)
Ubuntu Manpage: setcap - set file capabilities
In the absence of the -v (verify) option setcap sets the capabilities of each specified filename to the capabilities specified. The optional -n <rootid> argument can be used to set the file capability for use only in a namespace with this rootid owner. The -v option is used to verify that the ...
🌐
Linux Audit
linux-audit.com › linux audit › system administration › commands › setcap
setcap command - Linux Audit
March 12, 2025 - The command setcap is a tool for Linux to set or remove file capabilities. Learn how to use setcap and its syntax for Linux capabilities.
Top answer
1 of 2
35

The way capabilities work in Linux is documented in man 7 capabilities.

Processes' capabilities in the effective set are against which permission checks are done. File capabilities are used during an execv call (which happens when you want to run another program1) to calculate the new capability sets for the process.

Files have two sets for capabilities, permitted and inheritable and effective bit.

Processes have three capability sets: effective, permitted and inheritable. There is also a bounding set, which limits which capabilities may be added later to a process' inherited set and affects how capabilities are calculated during a call to execv. Capabilities can only be dropped from the bounding set, not added.

Permissions checks for a process are checked against the process' effective set. A process can raise its capabilities from the permitted to the effective set (using capget and capset syscalls, the recommended APIs are respectively cap_get_proc and cap_set_proc).

Inheritable and bounding sets and file capabilities come into play during an execv syscall. During execv, new effective and permitted sets are calculated and the inherited and bounding sets stay unchanged. The algorithm is described in the capabilities man page:

P'(permitted) = (P(inheritable) & F(inheritable)) |
                (F(permitted) & cap_bset)

P'(effective) = F(effective) ? P'(permitted) : 0

P'(inheritable) = P(inheritable)    [i.e., unchanged]

Where P is the old capability set, P' is the capability set after execv and F is the file capability set.

If a capability is in both processes' inheritable set and the file's inheritable set (intersection/logical AND), it is added to the permitted set. The file's permitted set is added (union/logical OR) to it (if it is within the bounding set).

If the effective bit in file capabilities is set, all permitted capabilities are raised to effective after execv.

Capabilities in kernel are actually set for threads, but regarding file capabilities this distinction is usually relevant only if the process alters its own capabilities.

In your example capabilities cap_net_raw , cap_net_admin and cap_dac_override are added to the inherited and permitted sets and the effective bit is set. When your binary is executed, the process will have those capabilities in the effective and permitted sets if they are not limited by a bounding set.

[1] For the fork syscall, all the capabilities and the bounding set are copied from parent process. Changes in uid also have their own semantics for how capabilities are set in the effective and permitted sets.

2 of 2
19

Setting a capability on a file

sudo setcap 'cap_net_bind_service=ep' file_name

Setting multiple capabilities on a file

sudo setcap 'cap_net_bind_service=ep cap_sys_admin=ep' file_name

Removing all capabilities from a file

sudo setcap -r file_name

Checking capabilities for a file

getcap file_name

List of possible capabilities (some are really interesting)

https://linux.die.net/man/7/capabilities

Pitfall: setting capabilities does not really work for scripts. If you want your Python script to work, you need to set the capabilities on the Python executable itself. It's not ideal.

Note: setcap always overwrites the entire capability set when you run it. Most of the time, you see examples using setcap with + or - syntax, which I believe is a confusing piece of junk and does NOT work as you would expect from other tools like chmod. You can't use setcap multiple times to add different capabilities, it needs to be done in a single command.

People also ask

Which package provides the setcap command?
The command setcap is provided by the libcap, libcap-progs, or libcap2-bin package.
🌐
linux-audit.com
linux-audit.com › linux audit › system administration › commands › setcap
setcap command - Linux Audit
What is the setcap command and its purpose?
The setcap command is a command-line tool to add or remove any file capabilities.
🌐
linux-audit.com
linux-audit.com › linux audit › system administration › commands › setcap
setcap command - Linux Audit
🌐
Ubuntu Manpages
manpages.ubuntu.com › manpages › xenial › man7 › capabilities.7.html
Ubuntu Manpage: capabilities - overview of Linux capabilities
/proc/sys/kernel/cap_last_cap exposes the numerical value of the highest capability supported by the running kernel; this can be used to determine the highest bit that may be set in a capability set. File capabilities Since kernel 2.6.24, the kernel supports associating capability sets with an executable file using setcap(8).
🌐
Linux Man Pages
man7.org › linux › man-pages › man8 › setcap.8.html
setcap(8) - Linux manual page
In the absence of the -v (verify) option setcap sets the capabilities of each specified filename to the capabilities specified. The optional -n <rootuid> argument can be used to set the file capability for use only in a user namespace with this root user ID owner.
Find elsewhere
🌐
Linux Man Pages
man7.org › linux › man-pages › man7 › capabilities.7.html
capabilities(7) - Linux manual page
Since Linux 3.2, the file /proc/sys/kernel/cap_last_cap exposes the numerical value of the highest capability supported by the running kernel; this can be used to determine the highest bit that may be set in a capability set. File capabilities Since Linux 2.6.24, the kernel supports associating capability sets with an executable file using setcap(8).
🌐
Linux Man Pages
linux.die.net › man › 8 › setcap
setcap(8): set file capabilities - Linux man page
In the absence of the -v (verify) option setcap sets the capabilities of each specified filename to the capabilities specified.
🌐
LinuxConfig
linuxconfig.org › home › introduction to linux capabilities
Manage Linux Permissions with Capabilities
November 1, 2023 - To assign capabilities to an executable we use the setcap utility.
🌐
Linuxoperatingsystem
linuxoperatingsystem.net › home › setcap command in linux
setcap Command in Linux - Linux Expert Better 2026
April 14, 2025 - On most modern Linux distributions, the setcap command is included with the libcap2-bin package. # Ubuntu/Debian sudo apt install libcap2-bin # CentOS/RHEL sudo yum install libcap # Fedora sudo dnf install libcap
🌐
Ask Ubuntu
askubuntu.com › tags › setcap › info
'setcap' tag wiki - Ask Ubuntu
The setcap utility changes a file's capabilities, a more fine-grained system of allowing an executable (runnable by non-root users) to perform trusted actions than making it always run as root.
Top answer
1 of 2
26

Searching for setcap

I believe setcap is contained in this package libcap2-bin. I found this by googling for "debian setcap" which led me to this man page:

  • https://manpages.debian.org/jessie/libcap2-bin/setcap.8.en.html

The title of the man page tells you which package it resides in:

/ jessie / libcap2-bin / setcap(8)

Now that we "think" we know the package's name we can search for it:

  • https://packages.debian.org/jessie/libcap2-bin

If you scroll down to the bottom of that page you'll see all the various architectures. Click the link for amd64:

  • https://packages.debian.org/jessie/amd64/libcap2-bin/filelist

Found it

And there's setcap:

File list of package libcap2-bin in jessie of architecture amd64
/sbin/capsh
/sbin/getcap
/sbin/getpcaps
/sbin/setcap
/usr/share/doc/libcap2-bin/README.Debian
/usr/share/doc/libcap2-bin/changelog.Debian.gz
/usr/share/doc/libcap2-bin/changelog.gz
/usr/share/doc/libcap2-bin/copyright
/usr/share/man/man1/capsh.1.gz
/usr/share/man/man1/getpcaps.1.gz
/usr/share/man/man5/capability.conf.5.gz
/usr/share/man/man8/getcap.8.gz
/usr/share/man/man8/pam_cap.8.gz
/usr/share/man/man8/setcap.8.gz
2 of 2
14

Just do a search to see if a package has that command using

apt-file search setcap

if apt-file is not install first get it installed then re-issue above :

sudo apt install apt-file -y  && sudo apt-file update
apt-file search setcap

the entry you want appears as

libcap2-bin: /sbin/setcap

now you know which package has it so install using

sudo apt-get install libcap2-bin

to see contents of an installed package issue

dpkg -L some-package
dpkg -L libcap2-bin

output includes these

/sbin/getcap
/sbin/setcap

so now you know how to install setcap and its get counterpart getcap

🌐
Container Solutions
blog.container-solutions.com › linux-capabilities-in-practice
Linux Capabilities In Practice
September 25, 2019 - $ sudo setcap cap_net_bind_service+p set_ambient $ getcap ./set_ambient ./set_ambient = cap_net_bind_service+p We can see how it works:
🌐
Command Not Found
command-not-found.com › setcap
command-not-found.com – setcap
Set capability `cap_net_raw` (to use RAW and PACKET sockets) for a given file: setcap 'cap_net_raw' path/to/file