TIL

TIL - strace and capabilites

Posted by Marcus Folkesson on Sunday, September 8, 2024

TIL - strace and capabilities

TIL, Today I Learned, is more of a "I just figured this out: here are my notes, you may find them useful too" rather than a full blog post

strace [1] is a terrific tool to trace system calls and signals for a specific command.

The fact that programs using the setuid bit do not have the effective user ID priviliges when being traced was something I already knew, but that the same was true to capabilites [2] was new to me.

To run an application with the correct capabilites (and setuid/setgid) you have to provide --user to strace

-u username
--user=username
        Run command with the user ID, group ID, and supplementary
        groups of username.  This option is only useful when
        running as root and enables the correct execution of
        setuid and/or setgid binaries.  Unless this option is used
        setuid and setgid programs are executed without effective
        privileges.

In other words, to trace the application my-application as the user marcus with all capabilites set, do as follows:

1$ sudo strace --output=trace.log --user=marcus ./my-application
CATALOG
    FEATURED TAGS
    audio beer birds blacksmith booting buildroot camera clockwork cultivation debugging dnd docker git go ham knives leatherwork libostree linux linux kernel network programming qemu radio swupdate systemd til tools v4l2 vim wireless yocto zephyr