debugging - How to find out what linux capabilities a process requires to work?

Question

I am in a difficult situation where I don't know what linux capabilities a process requires to work. What is the best way, or any way to find out what cap is required?

The only thing I can think of right now is using capsh and drop all caps on a process. The process then fails and I start to add caps (by removing --drop=CAP_XZY) until it works.

Any better suggestions?

Answer 1

Turns out it is easier than expected. Install libcap-ng (https://people.redhat.com/sgrubb/libcap-ng/) and use pscap.

In Ubuntu 16.04, it can be installed with:

sudo apt-get install libcap-ng-utils

Sample output excerpt:

ppid  pid   name        command           capabilities
1     468   root        systemd-journal   chown, dac_override, dac_read_search, fowner, setgid, setuid, sys_ptrace, sys_admin, audit_control, mac_override, syslog, audit_read
1     480   root        lvmetad           full
1     492   root        systemd-udevd     full
1     1040  root        rpc.idmapd        full
1     1062  root        rpc.gssd          full
1     1184  messagebus  dbus-daemon       audit_write +
1     1209  root        NetworkManager    dac_override, kill, setgid, setuid, net_bind_service, net_admin, net_raw, sys_module, sys_chroot, audit_write