CAPTEST:(8)                                               System Administration Utilities                                              CAPTEST:(8)

NAME

       captest - a program to demonstrate capabilities

SYNOPSIS

       captest [ --drop-all | --drop-caps | --id ] [ --lock ] [ --text ]

DESCRIPTION

       captest  is a program that demonstrates and prints out the current process capabilities. Each option prints the same report. It will output
       current capabilities. then it will try to access /etc/shadow directly to show if that can be done. Then it creates  a  child  process  that
       attempts to read /etc/shadow and outputs the results of that. Then it outputs the capabilities that a child process would have.

       You  can  also apply file system capabilities to this program to study how they work. For example, filecap /usr/bin/captest chown. Then run
       captest as a normal user. Another interesting test is to make captest suid root so that you can see what the interaction is between  root's
       credentials  and capabilities. For example, chmod 4755 /usr/bin/captest. When run as a normal user, the program will see if privilege esca-
       lation is possible. But do not leave this app setuid root after you are don testing so that an attacker cannot take advantage of it.

OPTIONS

       --drop-all
              This drops all capabilities and clears the bounding set.

       --drop-caps
              This drops just traditional capabilities.

       --id   This changes to uid and gid 99, drops supplemental groups, and clears the bounding set.

       --text This option outputs the effective capabilities in text rather than numerically.

       --lock This prevents the ability for child processes to regain privileges if the uid is 0.

SEE ALSO

       filecap(8), capabilities(7)

AUTHOR

       Steve Grubb

Red Hat                                                              June 2009                                                         CAPTEST:(8)