rvp uxer I would expect such info in the docs...
cgetent (Section: Capability database semantics) does describe the behaviour of getcap.
Hm, that looks more like docs for devs or advanced admins. I would expect
man login.conf.d for ordinary users, with user-targeted explanations of resolution process and real-world examples...
OK, I seem to eventually have figured it out.
When you run it like this:
getcap -f /etc/login.conf.d/<class>:/etc/login.conf <class>
It does dump everything, including duplicates, for the <class>, in the order it has found them.
rvp When a database is searched for a capability record, the first matching record in the search is returned.
When a record is scanned for a capability, the first matching capability is returned; the capability
:nameT@: will hide any following definition of a value of type T for name; and the capability :name@:
will prevent any following values of name from being seen.
In output of
-c, all following definitions/values are present:
getcap -f /tmp/getcap/1.conf:/tmp/getcap/0.conf hide-prevent
# hide-prevent: :aa@: : :aa>0:
And when you are more specific:
getcap -c <capability>= -f /etc/login.conf.d/<class>:/etc/login.conf <class>
It does resolve and prints a single resulting value (my guess is it just prints the first encountered value from the order in which it has found them).
A special case - value is "@":
getcap -c aa -f /tmp/getcap/1.conf:/tmp/getcap/0.conf hide-prevent
# no output
So, for tracing capabilities across multiple files, one can't do it with one general
getcap command (as I had tried and been confounded), one needs to check them one-by-one with
Yet it does NOT resolve the actual final value:
getcap -c openfiles -f /etc/login.conf xenodm
# 512 (from xenodm)
getcap -c openfiles-max -f /etc/login.conf xenodm
# 1024 (from daemon)
getcap -c openfiles-cur -f /etc/login.conf xenodm
# 128 (from daemon)
If it did resolve, all 3 would print 512 since
openfiles alone means both
So one still needs some manual mental math...
Looking at how
getcap works, I dare to say this is not a properly implemented database tool, it is a hacky makeshift workaround of returning a substring, unless substring equals "@":
getcap -c openfile -f /etc/login.conf xenodm
getcap -c openfil -f /etc/login.conf xenodm
getcap -c openfi -f /etc/login.conf xenodm
getcap -c openfiles=5 -f /etc/login.conf xenodm
getcap -c openfiles=51 -f /etc/login.conf xenodm
getcap -c a -f /tmp/getcap/1.conf:/tmp/getcap/0.conf hide-prevent
Keep it stupid simple 🤔
@rvp thanks for your care and effort, you are very helpful 💎