cap_launch - Linux


cap_launch is a powerful command used to manipulate capabilities on Linux systems. It provides fine-grained control over which capabilities are granted to specific programs, enhancing security and system integrity.


cap_launch [options] command [<argument>...]


  • -c, –capabilities <list>: Specify the capabilities to grant to the command, separated by commas.
  • -d, –drop <list>: Drop the specified capabilities from the command.
  • -i, –inherit-all <list>: Inherit all capabilities from the parent process.
  • -r, –restore-all <list>: Restore all capabilities from the parent process.
  • -s, –silent : Suppress error and warning messages.
  • -v, –version : Display the program’s version number.


Granting capabilities to a command:

cap_launch -c CAP_NET_ADMIN ping

Dropping capabilities from a command:

cap_launch -d CAP_SYS_ADMIN,CAP_SYS_BOOT ls -la /root

Inheriting capabilities from the parent process:

cap_launch -i CAP_* ls -la /etc

Common Issues

  • Ensure that the user running cap_launch has the required privileges to grant or drop capabilities.
  • Verify that the capabilities being granted or dropped are valid for the system.
  • Handle error messages carefully, as they may indicate incorrect syntax or invalid capabilities being specified.


cap_launch can integrate with other commands to create sophisticated access control mechanisms:

  • sshd: Define custom capability sets for SSH users.
  • docker: Set capabilities for containerized applications.
  • getcap: Display capabilities assigned to files or processes.

Related Commands

  • setcap: Set capabilities of a file or executable.
  • getcap: Display capabilities of a file or executable.
  • capabilities: Linux capabilities documentation.