cap_drop_bound - Linux


cap_drop_bound allows the bounding of capabilities for child processes. Typically used after a setuid/setgid program has gained extra privileges, it helps restrict the capabilities that can be inherited by any child processes.


cap_drop_bound <name | numeric>
  • <name | numeric>: Name or numeric value of the capability to be bounded.
    • To specify multiple capabilities, separate the names with commas.
    • The numeric value should always be prefixed with CAP_.




  • Bound all capabilities to the current bounds:
cap_drop_bound all
  • Bound a specific capability by name:
cap_drop_bound CAP_SYS_ADMIN
  • Bound multiple capabilities by numeric value:

Common Issues

  • Ensure you have root privileges before running the command as it operates on the capabilities of the current process.
  • Specify the correct capability name or numeric value.


Combine cap_drop_bound with capset to control the capabilities of a process. For example:

# Drop the SYS_ADMIN capability of the current process
cap_drop_bound CAP_SYS_ADMIN

# Set the effective capabilities of a new child process
capset -e +ep

Related Commands

  • capset – Set or get capabilities of a process or file.
  • getcap – Get capabilities of a file.
  • setcap – Set capabilities of a file.