NAME | SYNOPSIS | DESCRIPTION | OPTIONS | SEE ALSO | AUTHOR | COLOPHON

CAPTEST:(8)            System Administration Utilities           CAPTEST:(8)

NAME         top

       captest - a program to demonstrate capabilities

SYNOPSIS         top

       captest [ --drop-all | --drop-caps | --id ] [ --init-grp ] [ --lock ]
       [ --text ]

DESCRIPTION         top

       captest is a program that demonstrates and prints out the current
       process capabilities. Each option prints the same report. It will
       output current capabilities. then it will try to access /etc/shadow
       directly to show if that can be done. Then it creates a child process
       that attempts to read /etc/shadow and outputs the results of that.
       Then it outputs the capabilities that a child process would have.

       You can also apply file system capabilities to this program to study
       how they work. For example, filecap /usr/bin/captest chown. Then run
       captest as a normal user. Another interesting test is to make captest
       suid root so that you can see what the interaction is between root's
       credentials and capabilities. For example, chmod 4755
       /usr/bin/captest. When run as a normal user, the program will see if
       privilege escalation is possible. But do not leave this app setuid
       root after you are don testing so that an attacker cannot take
       advantage of it.

OPTIONS         top

       --drop-all
              This drops all capabilities and clears the bounding set.

       --drop-caps
              This drops just traditional capabilities.

       --id   This changes to uid and gid 99, drops supplemental groups, and
              clears the bounding set.

       --init-grp
              This changes to uid and gid 99 and then adds any supplemental
              groups that comes with that account. You would have add them
              prior to testing because by default there are no supplemental
              groups on account 99.

       --text This option outputs the effective capabilities in text rather
              than numerically.

       --lock This prevents the ability for child processes to regain
              privileges if the uid is 0.

SEE ALSO         top

       filecap(8), capabilities(7)

AUTHOR         top

       Steve Grubb

COLOPHON         top

       This page is part of the libcap-ng (capabilities commands and library
       (NG)) project.  Information about the project can be found at 
       ⟨https://people.redhat.com/sgrubb/libcap-ng/⟩.  It is not known how to
       report bugs for this man page; if you know, please send a mail to
       man-pages@man7.org.  This page was obtained from the tarball libcap-
       ng-0.7.8.tar.gz fetched from 
       ⟨https://people.redhat.com/sgrubb/libcap-ng/index.html⟩ on 2017-09-15.
       If you discover any rendering problems in this HTML version of the
       page, or you believe there is a better or more up-to-date source for
       the page, or you have corrections or improvements to the information
       in this COLOPHON (which is not part of the original manual page),
       send a mail to man-pages@man7.org

Red Hat                           June 2009                      CAPTEST:(8)