cap_func_launcher - Linux


cap_func_launcher is a privileged command that executes a specified user command while limiting its capabilities to a predefined set. This allows the command to perform specific tasks that require elevated permissions but without granting unrestricted root access.


cap_func_launcher -c COMMAND [OPTIONS] [ARGS]


  • -c, –command (Required): The user command to be executed with limited capabilities.
  • -f, –funcset (Optional): Specify the set of capabilities to grant to the command. By default, the setcap capability is enabled.
  • -d, –drop (Optional): Drop specified capabilities from the default set before granting the specified capabilities.


  • Execute a script with limited capabilities:
cap_func_launcher -c ./
  • Grant only the cap_mknod capability to a command:
cap_func_launcher -c ./ -f cap_mknod
  • Drop the cap_syslog capability from the default set, then add the cap_net_raw capability:
cap_func_launcher -c ./ -d cap_syslog -f cap_net_raw

Common Issues

  • Permission denied: Ensure that cap_func_launcher has the necessary permissions (e.g., SUID bit set) to execute the command.
  • Incorrect capabilities: Verify that the specified capabilities are granted correctly. Use getcap to check the actual capabilities assigned to the command.
  • Unexpected behavior: Ensure that the user command does not depend on any capabilities that are not granted.


cap_func_launcher can be combined with other commands for advanced privilege management. For example:

  • sudo cap_func_launcher: Execute a command with limited capabilities as a specific user.
  • ls -Z | grep cap_func_launcher: List all files and directories that have cap_func_launcher capabilities assigned.

Related Commands

  • getcap, setcap: Manage capabilities for files and processes.
  • sudo: Grant temporary elevated privileges to a command.