Had a problem today where a root process was unable to read files owned by other users. I looked through the strace and there were no calls to setXXuid which might be giving the process other permissions.
[pid 12930] geteuid() = 0
[pid 12930] open(“/opt/tomcat/conf/logging.properties”, O_RDONLY) = -1 EACCES (Permission denied)
Then I noticed this call:
[pid 12930] capset(0×19980330, 0, {CAP_SETGID|CAP_SETUID|CAP_NET_BIND_SERVICE, CAP_SETGID|CAP_SETUID|CAP_NET_BIND_SERVICE, CAP_SETGID|CAP_SETUID|CAP_NET_BIND_SERVICE}) = 0
It appears this removes useful permissions like CAP_DAC_OVERRIDE that allows the process to read files not owned by it 
(blah blah blah.. tomcat shouldn’t be running as root)
