2022-09-01 22:26 (UTC+0300), Dmitry Kozlyuk: > 2022-09-01 17:42 (UTC+0300), Dmitry Kozlyuk: > > Theoretically, one can enumerate all capabilities, give all capabilities > > except one to the binary, try to run it, and notice which capability removal > > leads to a failure. However, `setcap "all=ep $capa-ep" ./binary` > > did not give the correct answer to me (why?), so I did it semi-manually. > > Aha! CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH are not orthogonal: > they both allow bypassing file read permission check. > > I have a working script here: ...
Apparently, a better alternative is already out there: https://github.com/iovisor/bcc/blob/master/tools/capable_example.txt
