community.general.capabilities module – Manage Linux capabilities

Note

This module is part of the community.general collection (version 8.5.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.capabilities.

Synopsis

  • This module manipulates files privileges using the Linux capabilities(7) system.

Aliases: system.capabilities

Parameters

Parameter

Comments

capability

aliases: cap

string / required

Desired capability to set (with operator and flags, if state=present) or remove (if state=absent)

path

aliases: key

string / required

Specifies the path to the file to be managed.

state

string

Whether the entry should be present or absent in the file’s capabilities.

Choices:

  • "absent"

  • "present" ← (default)

Attributes

Attribute

Support

Description

check_mode

Support: full

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: none

Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

Notes

Note

  • The capabilities system will automatically transform operators and flags into the effective set, so for example, cap_foo=ep will probably become cap_foo+ep.

  • This module does not attempt to determine the final operator and flags to compare, so you will want to ensure that your capabilities argument matches the final capabilities.

Examples

- name: Set cap_sys_chroot+ep on /foo
  community.general.capabilities:
    path: /foo
    capability: cap_sys_chroot+ep
    state: present

- name: Remove cap_net_bind_service from /bar
  community.general.capabilities:
    path: /bar
    capability: cap_net_bind_service
    state: absent

Authors

  • Nate Coraor (@natefoo)