cap_clear_flag - Linux


cap_clear_flag is a command used to remove a capability flag from a particular file or directory. It allows users to selectively disable specific capabilities, granting more granular control over file permissions.


cap_clear_flag [-d] [-p <file/dir>] <capability> <file/dir>


  • -d: Dereference symbolic links, applying changes to the actual file or directory instead of the link itself.
  • -p <file/dir>: Prepend the path specified in <file/dir> to all subsequent paths. This simplifies providing paths relative to a common root.


Disable the CAP_DAC_READ_SEARCH capability for the file myfile.txt:

cap_clear_flag CAP_DAC_READ_SEARCH myfile.txt

Recursively remove the CAP_SETUID capability from the directory bin/:

cap_clear_flag -d CAP_SETUID /bin

Remove the CAP_SYS_CHROOT capability from a symlink link_to_file pointing to real_file:

cap_clear_flag -d CAP_SYS_CHROOT link_to_file

Common Issues

  • Access Denied: If you lack sufficient permissions to modify the capabilities of a file or directory, the command will fail. Ensure you have appropriate privileges.
  • Invalid Capability: Specify a valid capability name from the list of available capabilities on your system.


cap_clear_flag can be integrated with other commands and tools for advanced tasks:

  • Grant a specific capability to a user/group: Use setcap to grant a capability, then cap_clear_flag to remove it for specific files or directories.
  • Enforce security policies: Create custom scripts that use cap_clear_flag to ensure specific capabilities are not set on sensitive files or directories.

Related Commands

  • setcap: Sets capabilities on files or directories.
  • getcap: Displays the capabilities of a file or directory.
  • lscap: Lists available capabilities.