captest command
captest performs a set of tests related to capabilities and demonstrates them
Typical usage: diagnosing permission issues, demonstrating Linux capabilities, hardening of system servicesIntroduction into captest
The captest utility shows the current capabilities that a process has access to. It can be used for troubleshooting, testing, or demonstrating purposes.
Captest performs a set of of tasks and tests:
- Show current capabilities
- Try to access /etc/shadow and show the result
- Create a child process
- Try to access the shadow file again, including the result
- Show what capabilities the child has
This functionality may be useful to learn more about capabilities, test containers, but also if a hardened systemd service is working correctly.
Example output
As an unprivileged user:
$ captest
User credentials uid:1000 euid:1000 suid:1000
Group credentials gid:1000 egid:1000 sgid:1000
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...FAILED
Child User credentials uid:1000 euid:1000 suid:1000
Child Group credentials gid:1000 egid:1000 sgid:1000
Child capabilities: none
Child securebits flags: none
Do not allow child process to regain privileges.
# captest --lock
User credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Effective: 000001FF, FFFFFFFF
Permitted: 000001FF, FFFFFFFF
Inheritable: 00000000, 00000000
Bounding Set: 000001FF, FFFFFFFF
Ambient : 00000000, 00000000
securebits flags: NOROOT, NOROOT_LOCKED, NO_SETUID_FIXUP, NO_SETUID_FIXUP_LOCKED
Attempting direct access to shadow...SUCCESS
Attempting to access shadow by child process...SUCCESS
Child User credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities: none
Child securebits flags: NOROOT, NOROOT_LOCKED, NO_SETUID_FIXUP, NO_SETUID_FIXUP_LOCKED
Installation
When captest is not installed by default, it can be added to the system using the relevant software package.
Package information for captest
| Operating system | Package name | Installation |
|---|---|---|
| AlmaLinux | libcap-ng-utils | |
| Arch Linux | libcap-ng-utils | |
| Debian | libcap-ng-utils | |
| Fedora | libcap-ng-utils | |
| Red Hat Enterprise Linux | libcap-ng-utils | |
| Rocky Linux | libcap-ng-utils | |
| Ubuntu | libcap-ng-utils | |
Your Linux distribution using a different package? Share your feedback.
Usage
Available options
| Option | Description |
|---|---|
| --ambient | Make an attempt to add capability CAP_CHOWN to the list of ambient capabilities |
| --drop-all | Drops all available capabilities and clear the capability bounding set. |
| --drop-caps | Drop traditional capabilities only |
| --id | Change user ID and group ID to 99, drop any supplemental groups, and also clear the capability bounding set |
| --init-grp | Similar to --id: change to user and group to 99, but add supplemental groups for that account. Typically this account does not exist, so they need to manually added. |
| --lock | Prevent a child getting privileges if the user ID is equal to 0 |
| --text | Show the capabilities by their names instead of identifiers |
Missing an option in this overview? Share your feedback.
Frequently Asked Questions
What is the captest command and its purpose?
The captest command helps with testing Linux capabilities and includes by default a test to demonstrate to see if privilege escalation is possible.
Which package provides the captest command?
The command captest is provided by the libcap-ng-utils package.
Relevant articles using the captest command
The following articles include an example on how to use captest and might be worth further exploring.
Related and similar commands
Linux has a lot of tools and commands available and sometimes you just need that little other tool. Here is a list of commands that are similar or related to captest:
| Command | Category | Summary |
|---|---|---|
| capsh | capabilities | Linux capabilities testing and debugging tool |
| filecap | capabilities | Display of Linux capabilities set on binaries in paths |
| firejail | sandboxing | Sandboxing tool for Linux |
| getcap | capabilities | Show file capabilities |
| getpcaps | capabilities | Show process capabilities |
| netcap | capabilities | Display available capabilities for running processes using network sockets |
| pscap | capabilities | Display available capabilities for running processes |
| setcap | capabilities | Add or remove Linux capabilities to a file |
Also 💙 the command-line or terminal? Here is a set of cheat sheets for Linux to get more done from within the shell: