Lcap (cont)
    root# lcap -v CAP_SYS_PTRACE
    Current capabilities: 0xFFFFFEFF
    Removing capabilities: 
               19) CAP_SYS_PTRACE              strace(2)
    root# lcap   
    Current capabilities: 0xFFF7FEFF
        0) *CAP_CHOWN                   1) *CAP_DAC_OVERRIDE         
        2) *CAP_DAC_READ_SEARCH         3) *CAP_FOWNER               
        4) *CAP_FSETID                  5) *CAP_KILL                 
        6) *CAP_SETGID                  7) *CAP_SETUID               
        8)  CAP_SETPCAP                 9) *CAP_LINUX_IMMUTABLE      
       10) *CAP_NET_BIND_SERVICE       11) *CAP_NET_BROADCAST        
       ...
  root# strace /bin/ls 
  strace: exec: Operation not permitted

Copyright 2003, Bri Hatch of Onsight, Inc.

Presented at ISSA Puget Sound, 2003.

Presentation created using vim and MagicPoint.