captest command
captest performs a set of tests related to capabilities and demonstrates themThe captest utility shows the current capabilities that a process has access to. It can be used for troubleshooting, testing, or demonstrating purposes.
Captest performs a set of of tasks and tests:
- Show current capabilities
- Try to access /etc/shadow and show the result
- Create a child process
- Try to access the shadow file again, including the result
- Show what capabilities the child has
This functionality may be useful to learn more about capabilities, test containers, but also if a hardened systemd service is working correctly.
Example output
As an unprivileged user:
$ captest
User credentials uid:1000 euid:1000 suid:1000
Group credentials gid:1000 egid:1000 sgid:1000
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...FAILED
Child User credentials uid:1000 euid:1000 suid:1000
Child Group credentials gid:1000 egid:1000 sgid:1000
Child capabilities: none
Child securebits flags: none
Do not allow child process to regain privileges.
# captest --lock
User credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Effective: 000001FF, FFFFFFFF
Permitted: 000001FF, FFFFFFFF
Inheritable: 00000000, 00000000
Bounding Set: 000001FF, FFFFFFFF
Ambient : 00000000, 00000000
securebits flags: NOROOT, NOROOT_LOCKED, NO_SETUID_FIXUP, NO_SETUID_FIXUP_LOCKED
Attempting direct access to shadow...SUCCESS
Attempting to access shadow by child process...SUCCESS
Child User credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities: none
Child securebits flags: NOROOT, NOROOT_LOCKED, NO_SETUID_FIXUP, NO_SETUID_FIXUP_LOCKED
Installation
When captest command is not installed by default, it can be added to the system using the relevant software package.
Package information for captest command
Operating system | Package name | Installation |
---|---|---|
AlmaLinux | libcap-ng-utils |
|
Arch Linux | libcap-ng-utils |
|
Debian | libcap-ng-utils |
|
Fedora | libcap-ng-utils |
|
Red Hat Enterprise Linux | libcap-ng-utils |
|
Rocky Linux | libcap-ng-utils |
|
Ubuntu | libcap-ng-utils |
|
Your Linux distribution using a different package? Share your feedback.
Usage
Available options
Option | Description |
---|---|
--ambient | Make an attempt to add capability CAP_CHOWN to the list of ambient capabilities |
--drop-all | Drops all available capabilities and clear the capability bounding set. |
--drop-caps | Drop traditional capabilities only |
--id | Change user ID and group ID to 99, drop any supplemental groups, and also clear the capability bounding set |
--init-grp | Similar to --id: change to user and group to 99, but add supplemental groups for that account. Typically this account does not exist, so they need to manually added. |
--lock | Prevent a child getting privileges if the user ID is equal to 0 |
--text | Show the capabilities by their names instead of identifiers |
Missing an option in this overview? Share your feedback.