captest command

captest performs a set of tests related to capabilities and demonstrates them

The captest utility shows the current capabilities that a process has access to. It can be used for troubleshooting, testing, or demonstrating purposes.

Captest performs a set of of tasks and tests:

  • Show current capabilities
  • Try to access /etc/shadow and show the result
  • Create a child process
  • Try to access the shadow file again, including the result
  • Show what capabilities the child has

This functionality may be useful to learn more about capabilities, test containers, but also if a hardened systemd service is working correctly.

Example output

As an unprivileged user:

$ captest
User  credentials uid:1000 euid:1000 suid:1000
Group credentials gid:1000 egid:1000 sgid:1000
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...FAILED
Child User  credentials uid:1000 euid:1000 suid:1000
Child Group credentials gid:1000 egid:1000 sgid:1000
Child capabilities: none
Child securebits flags: none

Do not allow child process to regain privileges.

# captest --lock
User  credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Effective:    000001FF, FFFFFFFF
Permitted:    000001FF, FFFFFFFF
Inheritable:  00000000, 00000000
Bounding Set: 000001FF, FFFFFFFF
Ambient :     00000000, 00000000
securebits flags: NOROOT, NOROOT_LOCKED, NO_SETUID_FIXUP, NO_SETUID_FIXUP_LOCKED
Attempting direct access to shadow...SUCCESS
Attempting to access shadow by child process...SUCCESS
Child User  credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities: none
Child securebits flags: NOROOT, NOROOT_LOCKED, NO_SETUID_FIXUP, NO_SETUID_FIXUP_LOCKED

Installation

When captest command is not installed by default, it can be added to the system using the relevant software package.

Package information for captest command

Operating systemPackage nameInstallation
AlmaLinuxlibcap-ng-utils
dnf install libcap-ng-utils
Arch Linuxlibcap-ng-utils
pacman -S libcap-ng-utils
Debianlibcap-ng-utils
apt install libcap-ng-utils
Fedoralibcap-ng-utils
dnf install libcap-ng-utils
Red Hat Enterprise Linuxlibcap-ng-utils
dnf install libcap-ng-utils
Rocky Linuxlibcap-ng-utils
dnf install libcap-ng-utils
Ubuntulibcap-ng-utils
apt install libcap-ng-utils

Your Linux distribution using a different package? Share your feedback.

Usage

Available options

OptionDescription
--ambientMake an attempt to add capability CAP_CHOWN to the list of ambient capabilities
--drop-allDrops all available capabilities and clear the capability bounding set.
--drop-capsDrop traditional capabilities only
--idChange user ID and group ID to 99, drop any supplemental groups, and also clear the capability bounding set
--init-grpSimilar to --id: change to user and group to 99, but add supplemental groups for that account. Typically this account does not exist, so they need to manually added.
--lockPrevent a child getting privileges if the user ID is equal to 0
--textShow the capabilities by their names instead of identifiers

Missing an option in this overview? Share your feedback.