TIL - strace and capabilities
TIL, Today I Learned, is more of a "I just figured this out: here are my notes, you may find them useful too" rather than a full blog post
strace [1] is a terrific tool to trace system calls and signals for a specific command.
The fact that programs using the setuid bit do not have the effective user ID priviliges when being traced was something I already knew, but that the same was true to capabilites [2] was new to me.
To run an application with the correct capabilites (and setuid/setgid) you have to provide --user to strace
-u username --user=username Run command with the user ID, group ID, and supplementary groups of username. This option is only useful when running as root and enables the correct execution of setuid and/or setgid binaries. Unless this option is used setuid and setgid programs are executed without effective privileges.
In other words, to trace the application my-application as the user marcus with all capabilites set, do as follows:
1$ sudo strace --output=trace.log --user=marcus ./my-application