cap_fill_flag - Linux


cap_fill_flag is a Linux command used to interpret and modify capabilities associated with a file or directory’s access control list (ACL). It enables administrators to fine-tune permissions, granting or revoking specific capabilities to specific users or groups.


cap_fill_flag [-p [-v] mode] <mode> <file>...
cap_fill_flag -r [-v] <mode> <file>...


  • -p: Preview mode. Shows the capabilities that would be modified without actually making any changes.
  • -v: Verbose mode. Provides more detailed output, showing the modified capabilities.
  • -r: Remove mode. Revokes capabilities instead of granting them.
  • mode: The capabilities to be added or removed. Specify in hexadecimal or symbolic format (e.g., cap_sys_admin).


Granting the cap_sys_admin capability to a file:

cap_fill_flag -p cap_sys_admin /etc/shadow

Revoking all capabilities from a directory:

cap_fill_flag -r 0 /usr/local

Common Issues

  • Permission Denied: Ensure that you have sufficient privileges to modify the capabilities of the target file or directory.
  • Invalid Capability: Verify that the specified capability is valid and supported by the system.


  • Use capsh to temporarily elevate privileges and execute commands with specific capabilities.
  • Combine with setfacl to set and manage ACLs, including capabilities.

Related Commands

  • capabilities
  • getfacl
  • setfacl