I am in a difficult situation where I don't know what Linux capabilities a process requires to work.
What is the best way, or any way, to find out what capability is required?
The only thing I can think of right now is using capsh and drop all capabilities on a process. The process then fails and I start to add capabilities (by removing --drop=CAP_XZY) until it works.
Any better suggestions?
Description:
From here:
getpcaps displays the capabilities on the processes indicated by the pid value(s) given on the command line.
Example:
$ getpcaps <PID>
PID: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+i
Description:
proc is a process information pseudo-filesystem or in other words - a directory where you can view information on all processes.
About capsh:
Linux capability support and use can be explored and constrained with this tool. This tool provides a handy wrapper for certain types of capability testing and environment creation.
It also provides some debugging features useful for summarizing capability state.
Example:
$ cat /proc/<PID>/status | grep Cap
And you'll get (on most systems):
CapInh: 00000000a80425fb (Inherited capabilities)
CapPrm: 0000000000000000 (Permitted capabilities)
CapEff: 0000000000000000 (Effective capabilities)
CapBnd: 00000000a80425fb (Bounding set)
CapAmb: 000000000000000 (Ambient capabilities set)
Use the capsh utility to decode from hexadecimal numbers into the capabilities name:
capsh --decode=00000000a80425fb
0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
(*) You can download capsh with: sudo apt-get install git libpcap-dev.