cap_get_flag - Linux


cap_get_flag is a command-line tool used to retrieve the value of a capability flag associated with a process or file descriptor. It’s commonly used for troubleshooting and debugging purposes, as well as for managing capabilities in applications.


cap_get_flag [-hv] [--process-id <pid>] [--file-descriptor <fd>] <flag>


  • -h, –help: Display help information.
  • -v, –verbose: Print additional information about the capability flag.
  • –process-id : Get the capability flag for the process with the specified PID.
  • –file-descriptor : Get the capability flag for the file descriptor associated with the given file descriptor number.
  • : The capability flag to retrieve. See proc(5) for a list of available flags.


Get the effective capabilities of the current process:

cap_get_flag CAP_SYS_ADMIN

Get the permitted capabilities of a specific process:

cap_get_flag --process-id 1234 CAP_DAC_OVERRIDE

Get the inheritable capabilities for a file descriptor:

cap_get_flag --file-descriptor 3 CAP_CHOWN

Common Issues

  • Permission denied: Ensure that the user running the command has sufficient permissions to retrieve the capability flag.
  • Invalid flag: Check that the specified capability flag is valid.
  • Invalid PID or file descriptor: Confirm that the provided PID or file descriptor is valid and corresponds to an existing process or file descriptor.


cap_get_flag can be used in conjunction with other commands to manage capabilities, such as:

  • capset: Set the capabilities of a process or file descriptor.
  • cap_drop: Drop specific capabilities from a process.
  • getcap: Retrieve the capabilities associated with a file.

Related Commands

  • getcap(1)
  • capset(1)
  • cap_drop(1)