TIL - strace and capabilites

Posted by Marcus Folkesson on Sunday, September 8, 2024

TIL - strace and capabilities

TIL, Today I Learned, is more of a "I just figured this out: here are my notes, you may find them useful too" rather than a full blog post

strace [1] is a terrific tool to trace system calls and signals for a specific command.

The fact that programs using the setuid bit do not have the effective user ID priviliges when being traced was something I already knew, but that the same was true to capabilites [2] was new to me.

To run an application with the correct capabilites (and setuid/setgid) you have to provide --user to strace

-u username
--user=username
        Run command with the user ID, group ID, and supplementary
        groups of username.  This option is only useful when
        running as root and enables the correct execution of
        setuid and/or setgid binaries.  Unless this option is used
        setuid and setgid programs are executed without effective
        privileges.

In other words, to trace the application my-application as the user marcus with all capabilites set, do as follows:

1$ sudo strace --output=trace.log --user=marcus ./my-application