cap_launcher_setgroups - Linux


cap_launcher_setgroups modifies the group access list of a specified capability in a running target process. It provides a secure and straightforward method for adjusting the access rights of a process to specific capabilities. This command is particularly useful in enterprise environments where controlled delegation of capabilities is required.


# cap_launcher_setgroups <capability> <pattern> [--] <group-list>


  • <capability>: The name of the capability to be modified.
  • <pattern>: A comma-separated list of process IDs or executable paths.
  • <group-list>: A comma-separated list of group names or GIDs.


Example 1: Granting the CAP_SETUID capability to the root group for the "su" process

# cap_launcher_setgroups CAP_SETUID "su" root

Example 2: Revoking the CAP_DAC_OVERRIDE capability from all processes with "/bin/sh" path

# cap_launcher_setgroups CAP_DAC_OVERRIDE "/bin/sh" --

Common Issues

  • Permission Denied: Ensure that you have sufficient privileges to modify the capabilities of the target process.
  • Invalid Capability: Verify that the specified capability is a valid capability.
  • Invalid Group: Ensure that the provided group names or GIDs are valid.


cap_launcher_setgroups can be integrated with other commands to enhance its functionality. For example:

  • Find Processes with Specific Capabilities: Use cap_launcher_show to identify processes with specific capabilities, then selectively adjust their access using cap_launcher_setgroups.

Related Commands

  • cap_launcher_show: Displays group access lists for specified capabilities.
  • getcap: Gets capabilities of a specified file or process.
  • setcap: Sets capabilities of a specified file or process.