How to find out what linux capabilities a process requires to work?

Question

I am in a difficult situation where I don't know what linux capabilities a process requires to work. What is the best way, or any way to find out what cap is required?

The only thing I can think of right now is using capsh and drop all caps on a process. The process then fails and I start to add caps (by removing --drop=CAP_XZY) until it works.

Any better suggestions?

Answer 1

Based on recent libcap2 update

1: (Short option): getpcaps

Description:

From here:

getpcaps displays the capabilities on the processes indicated by the pid value(s) given on the command line.

Example:

$ getpcaps <PID>
PID: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+i

---

2: (A bit longer option): /proc status and capsh

Description:

proc is a process information pseudo-filesystem or in other words - a directory where you can view information on all processes.

About capsh:

Linux capability support and use can be explored and constrained with this tool. This tool provides a handy wrapper for certain types of capability testing and environment creation.
It also provides some debugging features useful for summarizing capability state.

Example:

$ cat /proc/<PID>/status | grep Cap

And you'll get (on most systems):

CapInh: 00000000a80425fb (Inherited capabilities)
CapPrm: 0000000000000000 (Permitted capabilities)
CapEff: 0000000000000000 (Effective capabilities)
CapBnd: 00000000a80425fb (Bounding set)
CapAmb: 000000000000000  (Ambient capabilities set)

Use the capsh utility to decode from hexadecimal numbers into the capabilities name:

capsh --decode=00000000a80425fb
0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap

(*) You can download capsh with: sudo apt-get install git libpcap-dev.

Answer 2

Turns out it is easier than expected. Install libcap-ng (https://people.redhat.com/sgrubb/libcap-ng/) and use pscap.

In Ubuntu 16.04, it can be installed with:

sudo apt-get install libcap-ng-utils

Sample output excerpt:

ppid  pid   name        command           capabilities
1     468   root        systemd-journal   chown, dac_override, dac_read_search, fowner, setgid, setuid, sys_ptrace, sys_admin, audit_control, mac_override, syslog, audit_read
1     480   root        lvmetad           full
1     492   root        systemd-udevd     full
1     1040  root        rpc.idmapd        full
1     1062  root        rpc.gssd          full
1     1184  messagebus  dbus-daemon       audit_write +
1     1209  root        NetworkManager    dac_override, kill, setgid, setuid, net_bind_service, net_admin, net_raw, sys_module, sys_chroot, audit_write

Answer 3

Another method, that I've come across a while ago in this blog post by Brendan Gregg is to use capabilities tracer - capable.

Below is a sample output:

$ sudo /usr/share/bcc/tools/capable
TIME      UID    PID    COMM             CAP  NAME                 AUDIT
11:31:54  0      2467   capable          21   CAP_SYS_ADMIN        1
11:31:54  0      2467   capable          21   CAP_SYS_ADMIN        1
11:31:59  1000   2468   ls               1    CAP_DAC_OVERRIDE     1
11:31:59  1000   2468   ls               2    CAP_DAC_READ_SEARCH  1
11:32:02  0      1421   timesync         25   CAP_SYS_TIME         1
11:32:05  1000   2469   sudo             7    CAP_SETUID           1
11:32:05  0      2469   sudo             6    CAP_SETGID           1

It has a significant advantage of recording capability checks made by kernel for a given process. This allows to profile the application against the capabilities that it actually requires, e.g. to narrow down the privileges and execute it as an unprivileged user.

While pscap allows to list the effective capabilities of all running processes, it does not offer a reliable method of checking which capabilities are in fact required by the process, because:

• A process may have capability X in its permitted set and only raise it to the effective set for a short time to perform a privileged operation.
• A process could have started with broader set of capabilities, do the initialization requiring elevated privileges, and drop some (or all) capabilities (e.g. ping opening a raw socket).
• It works only for processes that are already running in capabilities-based manner. What if you had to determine the minimal capability set required for your newly developed application?
• It does not allow to correlate privilege checks made for application with the operations it performs, with capable you get timestamps for ever single check.

The sources for capable are available on github. Installation instructions for BCC (including capable) are available here. For further description please refer to the blog post mentioned at the beginning, please also note that capable requires kernel 4.4+, an alternative for older kernels is available in the blog post as well.

Note: I'm not the author, nor am I affiliated with the tool developers in any way. I just wanted to bring it to wider audience, since I have personally used it to develop a capabilities profile for a complex monitoring application that previously required full root privileges to run, and found this tracer to be of tremendous help.