This is simple demonstration of Linux capability cap_dac_read_search. The program reads the given file and prints the file content.
g++ readfile.cpp -o readfile
./setup.sh
Note: The script will setup the test environment. It creates below directory and files with shown permissions
drwxr-xr-x root:root /readall/all.txt
drwxr-x--- root:root /restricted/r.txt
getcap readfile
./readfile /readall/all.txt - shall show contents of hello.txt
./readfile /restricted/r.txt - fails with permission denied error
setcap 'cap_dac_read_search+ep' readfile
Note: The capability, CAP_DAC_READ_SEARCH, bypass file read permission checks and directory read and execute permission checks;
getcap readfile
./readfile /readall/all.txt
./readfile /restricted/r.txt
./cleanup.sh
If the service is reading privileged directory/files, then the service can be still run as non-root with only cap_dac_read_search. This capability bypasses file read permission checks and directory read and execute permission checks.