File protection mystery

Eric S. Raymond esr at
Wed Jan 3 03:58:52 UTC 2018

Hal Murray via devel <devel at>:
> Found it.  (It was right in front of my eyes.)
> setcap isn't doing what I expect.
> My install script says:
>   setcap cap_ipc_lock,cap_sys_nice,cap_sys_time,cap_net_bind_service=pe \
>                 /usr/local/sbin/ntpd
> Note the =pe on the end.
> But getcap says:
> /usr/local/sbin/ntpd = cap_net_bind_service,cap_ipc_lock,cap_sys_nice,cap_sys_
> time+ep
> Note the +ep on the end.  It's adding the caps I want to what root has rather 
> than replacing them.
> If I start it as non-root, it can't read the keys file.  If I change the 
> owner, it works.
> Anybody understand setcap?

Alas, I've never used it.  
		<a href="">Eric S. Raymond</a>

My work is funded by the Internet Civil Engineering Institute:
Please visit their site and donate: the civilization you save might be your own.

More information about the devel mailing list