freebsd man page for captest

CAPTEST:(8)						  System Administration Utilities					       CAPTEST:(8)

NAME
       captest - a program to demonstrate capabilities

SYNOPSIS
       captest [ --drop-all | --drop-caps | --id ] [ --lock ] [ --text ]

DESCRIPTION
       captest	is a program that demonstrates and prints out the current process capabilities. Each option prints the same report. It will output
       current capabilities. then it will try to access /etc/shadow directly to show if that can be done. Then it creates  a  child  process  that
       attempts to read /etc/shadow and outputs the results of that. Then it outputs the capabilities that a child process would have.

       You  can  also apply file system capabilities to this program to study how they work. For example, filecap /usr/bin/captest chown. Then run
       captest as a normal user. Another interesting test is to make captest suid root so that you can see what the interaction is between  root's
       credentials  and capabilities. For example, chmod 4755 /usr/bin/captest. When run as a normal user, the program will see if privilege esca-
       lation is possible. But do not leave this app setuid root after you are don testing so that an attacker cannot take advantage of it.

OPTIONS
       --drop-all
	      This drops all capabilities and clears the bounding set.

       --drop-caps
	      This drops just traditional capabilities.

       --id   This changes to uid and gid 99, drops supplemental groups, and clears the bounding set.

       --text This option outputs the effective capabilities in text rather than numerically.

       --lock This prevents the ability for child processes to regain privileges if the uid is 0.

SEE ALSO
       filecap(8), capabilities(7)

AUTHOR
       Steve Grubb

Red Hat 							     June 2009							       CAPTEST:(8)