getcap - examine file capabilities

getcap displays the name and capabilities of each specified file.

       getcap - examine file capabilities

-h  prints quick usage.

       -n  prints  any  non-zero  user  namespace  root  user  ID  value  found  to  be associated with a file's
           capabilities.

       -r  enables recursive search.

       -v  display all searched entries, even if the have no file-capabilities.

       NOTE: an empty value of '=' is not equivalent to an omitted (or removed) capability on a  file.  This  is
       most significant with respect to the Ambient capability vector, since a process with Ambient capabilities
       will  lose them when executing a file having '=' capabilities, but will retain the Ambient inheritance of
       privilege when executing a file with an omitted file capability. This special empty setting can  be  used
       to prevent a binary from executing with privilege. For some time, the kernel honored this suppression for
       root executing the file, but the kernel developers decided after a number of years that this behavior was
       unexpected  for the superuser and reverted it just for that user identity. Suppression of root privilege,
       for a process tree, is possible, using the capsh(1) --mode option.

       filename
           One file per line.

       Please report bugs via:

       https://bugzilla.kernel.org/buglist.cgi?component=libcap&list_id=1090757

capsh(1), cap_get_file(3), cap_to_text(3), capabilities(7), user_namespaces(7),  captree(8),  getpcaps(8)
       and setcap(8).

                                                   2021-08-29                                          GETCAP(8)

getcap [-v] [-n] [-r] [-h] filename [ ... ]