cap_launcher_set_mode - Linux


cap_launcher_set_mode grants or removes capabilities from a launched process. It is useful for granting only the necessary permissions to processes, enhancing system security.


cap_launcher_set_mode [options] <operation> <mode> <exe> [arguments]


  • -c, –capability: Specify the capability to grant or remove.
  • -f, –force: Force the operation even if it may be unsafe.
  • -h, –help: Display help and usage information.
  • -v, –verbose: Enable verbose output.


  • grant: Grants the specified capability to the launched process.
  • revoke: Removes the specified capability from the launched process.


  • inherit: Process inherits capabilities from its parent.
  • ambient: Process has ambient capabilities, which are a subset of its parent’s effective capabilities.
  • drop: Process has no capabilities.


Granting a process the CAP_NET_ADMIN capability:

cap_launcher_set_mode grant CAP_NET_ADMIN sudo iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

Revoking the CAP_SETUID capability:

cap_launcher_set_mode revoke CAP_SETUID chown -R user:users /data

Common Issues

  • Permission denied: Ensure that the user running the command has sufficient privileges to grant or revoke capabilities.
  • Invalid capability: Verify that the specified capability is valid and can be granted or revoked.


Integration with sudo:

Grant capabilities to processes launched with sudo:

sudo cap_launcher_set_mode grant CAP_SYS_ADMIN /bin/bash

Related Commands

  • capabilities: Display the capabilities of a process.
  • getcap: Get the capabilities of a file or process.
  • setcap: Set the capabilities of a file or process.