diff --git a/doc/guix.texi b/doc/guix.texi
index f882eb70e49..0e1e253b023 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -41655,6 +41655,8 @@ invokation.
 @cindex privileged programs
 @cindex setuid programs
 @cindex setgid programs
+@cindex capabilities, POSIX
+@cindex setcap
 Some programs need to run with elevated privileges, even when they are
 launched by unprivileged users.  A notorious example is the
 @command{passwd} program, which users can run to change their
@@ -41720,6 +41722,11 @@ defaults to root.
 GID (integer) group name (string) for the group owner of the program,
 defaults to root.
 
+@item @code{capabilities} (default: @code{#f})
+A string representing the program's POSIX capabilities, as described by
+the @code{cap_to_text(3)} man page from the libcap package, or @code{#f}
+to make no changes.
+
 @end table
 @end deftp
 
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index 77eb150477d..a57ca78a86a 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -288,9 +288,10 @@ they already exist."
   ;; Place where privileged copies of programs are stored.
   "/run/privileged/bin")
 
-(define (activate-privileged-programs programs)
+(define (activate-privileged-programs programs libcap)
   "Turn PROGRAMS, a list of file privileged-programs records, into privileged
-copies stored under %PRIVILEGED-PROGRAM-DIRECTORY."
+copies stored under %PRIVILEGED-PROGRAM-DIRECTORY, using LIBCAP's setcap(8)
+binary if needed."
   (define (ensure-empty-directory directory)
     (if (file-exists? directory)
         (for-each (compose delete-file
@@ -301,7 +302,7 @@ copies stored under %PRIVILEGED-PROGRAM-DIRECTORY."
                            string<?))
         (mkdir-p directory))    )
 
-  (define (make-privileged-program program setuid? setgid? uid gid)
+  (define (make-privileged-program program setuid? setgid? uid gid capabilities)
     (let ((target (string-append %privileged-program-directory
                                  "/" (basename program)))
           (mode (+ #o0555                   ; base permissions
@@ -309,7 +310,10 @@ copies stored under %PRIVILEGED-PROGRAM-DIRECTORY."
                    (if setgid? #o2000 0)))) ; setgid bit
       (copy-file program target)
       (chown target uid gid)
-      (chmod target mode)))
+      (chmod target mode)
+      (when (and capabilities libcap)
+        (system* (string-append libcap "/sbin/setcap")
+                 "-q" capabilities target))))
 
   (define (make-deprecated-wrapper program)
     ;; This will eventually become a script that warns on usage, then vanish.
@@ -331,13 +335,16 @@ copies stored under %PRIVILEGED-PROGRAM-DIRECTORY."
                          (setgid?      (privileged-program-setgid? program))
                          (user         (privileged-program-user program))
                          (group        (privileged-program-group program))
+                         (capabilities (privileged-program-capabilities program))
                          (uid (match user
                                 ((? string?) (passwd:uid (getpwnam user)))
                                 ((? integer?) user)))
                          (gid (match group
                                 ((? string?) (group:gid (getgrnam group)))
                                 ((? integer?) group))))
-                    (make-privileged-program program-name setuid? setgid? uid gid)
+                    (make-privileged-program program-name
+                                             setuid? setgid? uid gid
+                                             capabilities)
                     (make-deprecated-wrapper program-name)))
                 (lambda args
                   ;; If we fail to create a privileged program, better keep going
diff --git a/gnu/services.scm b/gnu/services.scm
index 553ec93a6c7..610a2df3958 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -46,6 +46,7 @@
   #:use-module (gnu packages base)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages hurd)
+  #:use-module (gnu packages linux)
   #:use-module (gnu system privilege)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
@@ -899,12 +900,14 @@ FILES must be a list of name/file-like object pairs."
                                (setuid?      (privileged-program-setuid? program))
                                (setgid?      (privileged-program-setgid? program))
                                (user         (privileged-program-user program))
-                               (group        (privileged-program-group program)) )
+                               (group        (privileged-program-group program))
+                               (capabilities (privileged-program-capabilities program)))
                            #~(privileged-program
                               (setuid? #$setuid?)
                               (setgid? #$setgid?)
                               (user    #$user)
                               (group   #$group)
+                              (capabilities #$capabilities)
                               (program #$program-name))))
                        programs)))
     (with-imported-modules (source-module-closure
@@ -912,7 +915,9 @@ FILES must be a list of name/file-like object pairs."
       #~(begin
           (use-modules (gnu system privilege))
 
-          (activate-privileged-programs (list #$@programs))))))
+          (activate-privileged-programs (list #$@programs)
+                                        #$(and (supported-package? libcap)
+                                               libcap))))))
 
 (define privileged-program-service-type
   (service-type (name 'privileged-program)
diff --git a/gnu/system/privilege.scm b/gnu/system/privilege.scm
index 455a659a125..d89d5d5d1c3 100644
--- a/gnu/system/privilege.scm
+++ b/gnu/system/privilege.scm
@@ -25,13 +25,14 @@
             privileged-program-setuid?
             privileged-program-setgid?
             privileged-program-user
-            privileged-program-group))
+            privileged-program-group
+            privileged-program-capabilities))
 
 ;;; Commentary:
 ;;;
 ;;; Data structures representing privileged programs: binaries with additional
-;;; permissions such as setuid/setgid.  This is meant to be used both on the
-;;; host side and at run time--e.g., in activation snippets.
+;;; permissions such as setuid/setgid, or POSIX capabilities.  This is meant to
+;;; be used both on the host side and at run time--e.g., in activation snippets.
 ;;;
 ;;; Code:
 
@@ -51,4 +52,7 @@
                  (default 0))
   ;; The group name or ID we want to set this to (defaults to root's).
   (group         privileged-program-group ;integer or string
-                 (default 0)))
+                 (default 0))
+  ;; POSIX capabilities in cap_from_text(3) form (defaults to #f: none).
+  (capabilities  privileged-program-capabilities ;string or #f
+                 (default #f)))