Merge branch 'maybe-for-v2.32' of https://github.com/rudimeier/util-linux

[thirdparty/util-linux.git] / sys-utils / setpriv.1

.TH SETPRIV 1 "July 2014" "util-linux" "User Commands"
.SH NAME
setpriv \- run a program with different Linux privilege settings
.SH SYNOPSIS
.B setpriv
[options]
.I program
.RI [ arguments ]
.SH DESCRIPTION
Sets or queries various Linux privilege settings that are inherited across
.BR execve (2).
.PP
The difference between the commands setpriv and su (or runuser) is that setpriv does
not use open PAM session and does not ask for password.
It's simple non-set-user-ID wrapper around
.B execve
system call.
.SH OPTION
.TP
.B \-\-clear\-groups
Clear supplementary groups.
.TP
.BR \-d , " \-\-dump"
Dump current privilege state.  Can be specified more than once to show extra,
mostly useless, information.  Incompatible with all other options.
.TP
.B \-\-groups \fIgroup\fR...
Set supplementary groups.  The argument is a comma-separated list.
.TP
.BR \-\-inh\-caps " (" + | \- ) \fIcap "...  or  " \-\-ambient-caps " (" + | \- ) \fIcap "...  or  " \-\-bounding\-set " (" + | \- ) \fIcap ...
Set the inheritable capabilities, ambient capabilities or the capability bounding set.  See
.BR capabilities (7).
The argument is a comma-separated list of
.BI + cap
and
.BI \- cap
entries, which add or remove an entry respectively. \fIcap\fR can either be a
human-readable name as seen in
.BR capabilities (7)
without the \fIcap_\fR prefix or of the format
.BI cap_N ,
where \fIN\fR is the internal capability index used by Linux.
.B +all
and
.B \-all
can be used to add or remove all caps.  The set of capabilities starts out as
the current inheritable set for
.BR \-\-inh\-caps ,
the current ambient set for
.B \-\-ambient\-caps
and the current bounding set for
.BR \-\-bounding\-set .
If you drop something from the bounding set without also dropping it from the
inheritable set, you are likely to become confused.  Do not do that.
.TP
.B \-\-keep\-groups
Preserve supplementary groups.  Only useful in conjunction with
.BR \-\-rgid ,
.BR \-\-egid ", or"
.BR \-\-regid .
.TP
.B \-\-init\-groups
Initialize supplementary groups using
.BR initgroups "(3)."
Only useful in conjunction with
.BR \-\-ruid
or
.BR \-\-reuid .
.TP
.BR \-\-list\-caps
List all known capabilities.  This option must be specified alone.
.TP
.B \-\-no\-new\-privs
Set the
.I no_new_privs
bit.  With this bit set,
.BR execve (2)
will not grant new privileges.
For example, the set-user-ID and set-group-ID bits as well
as file capabilities will be disabled.  (Executing binaries with these bits set
will still work, but they will not gain privileges.  Certain LSMs, especially
AppArmor, may result in failures to execute certain programs.)  This bit is
inherited by child processes and cannot be unset.  See
.BR prctl (2)
and
.IR Documentation/\:prctl/\:no_\:new_\:privs.txt
in the Linux kernel source.
.sp
The no_new_privs bit is supported since Linux 3.5.
.TP
.BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid"
Set the real, effective, or both GIDs.  The \fIgid\fR argument can be
given as textual group name.
.sp
For safety, you must specify one of
.BR \-\-clear\-groups ,
.BR \-\-groups ", or"
.BR \-\-keep\-groups
if you set any primary
.IR gid .
.TP
.BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid"
Set the real, effective, or both UIDs.  The \fIuid\fR argument can be
given as textual login name.
.sp
Setting a
.I uid
or
.I gid
does not change capabilities, although the exec call at the end might change
capabilities.  This means that, if you are root, you probably want to do
something like:
.sp
.B "        setpriv \-\-reuid=1000 \-\-regid=1000 \-\-caps=\-all"
.TP
.BR \-\-securebits " (" + | \- ) \fIsecurebit ...
Set or clear securebits.  The argument is a comma-separated list.
The valid securebits are
.IR noroot ,
.IR noroot_locked ,
.IR no_setuid_fixup ,
.IR no_setuid_fixup_locked ,
and
.IR keep_caps_locked .
.I keep_caps
is cleared by
.BR execve (2)
and is therefore not allowed.
.TP
.BI \-\-selinux\-label " label"
Request a particular SELinux transition (using a transition on exec, not
dyntrans).  This will fail and cause
.BR setpriv (1)
to abort if SELinux is not in use, and the transition may be ignored or cause
.BR execve (2)
to fail at SELinux's whim.  (In particular, this is unlikely to work in
conjunction with
.IR no_new_privs .)
This is similar to
.BR runcon (1).
.TP
.BI \-\-apparmor\-profile " profile"
Request a particular AppArmor profile (using a transition on exec).  This will
fail and cause
.BR setpriv (1)
to abort if AppArmor is not in use, and the transition may be ignored or cause
.BR execve (2)
to fail at AppArmor's whim.
.TP
.BR \-V , " \-\-version"
Display version information and exit.
.TP
.BR \-h , " \-\-help"
Display help text and exit.
.SH NOTES
If applying any specified option fails,
.I program
will not be run and
.B setpriv
will return with exit code 127.
.PP
Be careful with this tool \-\- it may have unexpected security consequences.
For example, setting no_new_privs and then execing a program that is
SELinux\-confined (as this tool would do) may prevent the SELinux
restrictions from taking effect.
.SH SEE ALSO
.BR runuser (1),
.BR su (1),
.BR prctl (2),
.BR capabilities (7)
.SH AUTHOR
.MT luto@amacapital.net
Andy Lutomirski
.ME
.SH AVAILABILITY
The
.B setpriv
command is part of the util-linux package and is available from
.UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
Linux Kernel Archive
.UE .