Suppose we have a program that is unaware of capabilities and that is provided only in binary form, or we have a program whose source code is too large for us to easily read to determine which capabilities might be required to run it. If the program requires privileges, but shouldn’t be a set-user-ID-root program, then how can we determine the permitted capabilities to assign to the executable file with setcap(8)? There are two ways to answer this question:
Use strace(1) (Appendix A) to see which system call fails with the error EPERM, the error used to indicate the lack of a required capability. By consulting the system call’s manual page or the kernel source code, we can then deduce what capability is required. This approach isn’t perfect, because an EPERM error can occasionally be generated for other reasons, some of which may have nothing to do with the capability requirements for the program. Furthermore, programs may legitimately make a system call that requires privilege, and then change their behavior after determining that they don’t have privilege for a particular operation. It can sometimes be difficult to distinguish such “false positives” when trying to determine the capabilities that an executable really does need.
Use a kernel probe to produce monitoring output when the kernel is asked to perform capability checks. An example of how to do this is provided in [Hallyn, 2007], an article written by one of the developers of file capabilities. For each request to check a capability, the probe shown in the article logs the kernel function that was called, the capability that was requested, and the name of the requesting program. Although this approach requires more work than the use of strace(1), it can also help us more accurately determine the capabilities that a program requires.