Unset `setcap` additional capabilities on excutable
Solution 1
To remove capabilities from a file use the -r flag
setcap -r /path/to/program
This will result in the program having no capabilities.
Solution 2
What @stephen-harris posted is right. But I believe it removes all capabilities added to the program in one shot. To remove a specific capability, following would work (following the example in the question)
setcap 'cap_net_bind_service=-ep' /path/to/program,
Notice the '-' sign. You can verify the {effect of the commands} capabilities over an executable as follows :
getcap /path/to/program
In case of setcap -r, all capabilities will be gone and the result of getcap will be empty where as the '-ep' just removes what you added with '+ep'. Comes in handy when you gave multiple capabilities and want to selectively remove them.
Related videos on Youtube
02 : 10
01 : 21 : 57
01 : 39
01 : 21
35 : 36
Comments
-
user2943160 almost 2 years
An answer to Linux: allowing an user to listen to a port below 1024 specified giving an executable additional permissions using
setcapsuch that the program could bind to ports <1024:setcap 'cap_net_bind_service=+ep' /path/to/programWhat is the correct way to undo these permissions?
-
user2943160 almost 8 yearsWell, that was a lot more evident after re-reading that short
manpage >.> -
dotnetCarpenter over 2 yearsHow can I confirm that the
setcap -rcommand worked as intended? -
Stephen Harris over 2 years@dotnetCarpenter Usegetcap
