File protection mystery

Hal Murray hmurray at
Wed Jan 3 02:48:13 UTC 2018

Found it.  (It was right in front of my eyes.)

setcap isn't doing what I expect.

My install script says:
  setcap cap_ipc_lock,cap_sys_nice,cap_sys_time,cap_net_bind_service=pe \

Note the =pe on the end.

But getcap says:
/usr/local/sbin/ntpd = cap_net_bind_service,cap_ipc_lock,cap_sys_nice,cap_sys_

Note the +ep on the end.  It's adding the caps I want to what root has rather 
than replacing them.

If I start it as non-root, it can't read the keys file.  If I change the 
owner, it works.

Anybody understand setcap?

These are my opinions.  I hate spam.

More information about the devel mailing list