]>
Commit | Line | Data |
---|---|---|
cf8e0bae | 1 | .TH SETPRIV 1 "July 2014" "util-linux" "User Commands" |
5600c405 AL |
2 | .SH NAME |
3 | setpriv \- run a program with different Linux privilege settings | |
4 | .SH SYNOPSIS | |
5 | .B setpriv | |
cf8e0bae BS |
6 | [options] |
7 | .I program | |
5600c405 AL |
8 | .RI [ arguments ] |
9 | .SH DESCRIPTION | |
10 | Sets or queries various Linux privilege settings that are inherited across | |
11 | .BR execve (2). | |
c424fd83 KZ |
12 | .PP |
13 | The difference between the commands setpriv and su (or runuser) is that setpriv does | |
aedd46f6 MK |
14 | not use open PAM session and does not ask for password. |
15 | It's simple non-set-user-ID wrapper around | |
c424fd83 | 16 | .B execve |
3be5d977 | 17 | system call. |
5600c405 AL |
18 | .SH OPTION |
19 | .TP | |
5e43af7e BS |
20 | .B \-\-clear\-groups |
21 | Clear supplementary groups. | |
22 | .TP | |
23 | .BR \-d , " \-\-dump" | |
cf8e0bae BS |
24 | Dump current privilege state. Can be specified more than once to show extra, |
25 | mostly useless, information. Incompatible with all other options. | |
5600c405 | 26 | .TP |
5e43af7e BS |
27 | .B \-\-groups \fIgroup\fR... |
28 | Set supplementary groups. The argument is a comma-separated list. | |
5600c405 | 29 | .TP |
0c92194e PS |
30 | .BR \-\-inh\-caps " (" + | \- ) \fIcap "... or " \-\-ambient-caps " (" + | \- ) \fIcap "... or " \-\-bounding\-set " (" + | \- ) \fIcap ... |
31 | Set the inheritable capabilities, ambient capabilities or the capability bounding set. See | |
5600c405 AL |
32 | .BR capabilities (7). |
33 | The argument is a comma-separated list of | |
cf8e0bae | 34 | .BI + cap |
5600c405 | 35 | and |
cf8e0bae | 36 | .BI \- cap |
55b3fe78 PS |
37 | entries, which add or remove an entry respectively. \fIcap\fR can either be a |
38 | human-readable name as seen in | |
39 | .BR capabilities (7) | |
40 | without the \fIcap_\fR prefix or of the format | |
41 | .BI cap_N , | |
42 | where \fIN\fR is the internal capability index used by Linux. | |
cf8e0bae | 43 | .B +all |
5600c405 | 44 | and |
cf8e0bae | 45 | .B \-all |
5600c405 AL |
46 | can be used to add or remove all caps. The set of capabilities starts out as |
47 | the current inheritable set for | |
0c92194e PS |
48 | .BR \-\-inh\-caps , |
49 | the current ambient set for | |
50 | .B \-\-ambient\-caps | |
5600c405 | 51 | and the current bounding set for |
cf8e0bae | 52 | .BR \-\-bounding\-set . |
5600c405 AL |
53 | If you drop something from the bounding set without also dropping it from the |
54 | inheritable set, you are likely to become confused. Do not do that. | |
55 | .TP | |
5e43af7e BS |
56 | .B \-\-keep\-groups |
57 | Preserve supplementary groups. Only useful in conjunction with | |
58 | .BR \-\-rgid , | |
59 | .BR \-\-egid ", or" | |
60 | .BR \-\-regid . | |
61 | .TP | |
94826d0d SS |
62 | .B \-\-init\-groups |
63 | Initialize supplementary groups using | |
64 | .BR initgroups "(3)." | |
65 | Only useful in conjunction with | |
66 | .BR \-\-ruid | |
67 | or | |
68 | .BR \-\-reuid . | |
69 | .TP | |
5600c405 | 70 | .BR \-\-list\-caps |
cf8e0bae | 71 | List all known capabilities. This option must be specified alone. |
5600c405 | 72 | .TP |
b06c1ca6 | 73 | .B \-\-no\-new\-privs |
5e43af7e BS |
74 | Set the |
75 | .I no_new_privs | |
76 | bit. With this bit set, | |
77 | .BR execve (2) | |
aedd46f6 MK |
78 | will not grant new privileges. |
79 | For example, the set-user-ID and set-group-ID bits as well | |
5e43af7e BS |
80 | as file capabilities will be disabled. (Executing binaries with these bits set |
81 | will still work, but they will not gain privileges. Certain LSMs, especially | |
82 | AppArmor, may result in failures to execute certain programs.) This bit is | |
83 | inherited by child processes and cannot be unset. See | |
84 | .BR prctl (2) | |
85 | and | |
86 | .IR Documentation/\:prctl/\:no_\:new_\:privs.txt | |
87 | in the Linux kernel source. | |
88 | .sp | |
89 | The no_new_privs bit is supported since Linux 3.5. | |
90 | .TP | |
91 | .BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid" | |
a72fa61a | 92 | Set the real, effective, or both GIDs. The \fIgid\fR argument can be |
5e43af7e BS |
93 | given as textual group name. |
94 | .sp | |
95 | For safety, you must specify one of | |
b06c1ca6 | 96 | .BR \-\-clear\-groups , |
5e43af7e | 97 | .BR \-\-groups ", or" |
b06c1ca6 | 98 | .BR \-\-keep\-groups |
5e43af7e BS |
99 | if you set any primary |
100 | .IR gid . | |
101 | .TP | |
102 | .BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid" | |
a72fa61a | 103 | Set the real, effective, or both UIDs. The \fIuid\fR argument can be |
637fa4c6 | 104 | given as textual login name. |
5e43af7e BS |
105 | .sp |
106 | Setting a | |
5600c405 AL |
107 | .I uid |
108 | or | |
109 | .I gid | |
110 | does not change capabilities, although the exec call at the end might change | |
111 | capabilities. This means that, if you are root, you probably want to do | |
112 | something like: | |
5e43af7e BS |
113 | .sp |
114 | .B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-caps=\-all" | |
5600c405 | 115 | .TP |
5e43af7e | 116 | .BR \-\-securebits " (" + | \- ) \fIsecurebit ... |
cf8e0bae BS |
117 | Set or clear securebits. The argument is a comma-separated list. |
118 | The valid securebits are | |
5600c405 | 119 | .IR noroot , |
cf8e0bae BS |
120 | .IR noroot_locked , |
121 | .IR no_setuid_fixup , | |
122 | .IR no_setuid_fixup_locked , | |
5600c405 | 123 | and |
cf8e0bae BS |
124 | .IR keep_caps_locked . |
125 | .I keep_caps | |
5600c405 AL |
126 | is cleared by |
127 | .BR execve (2) | |
128 | and is therefore not allowed. | |
129 | .TP | |
b06c1ca6 | 130 | .BI \-\-selinux\-label " label" |
cf8e0bae | 131 | Request a particular SELinux transition (using a transition on exec, not |
5600c405 AL |
132 | dyntrans). This will fail and cause |
133 | .BR setpriv (1) | |
134 | to abort if SELinux is not in use, and the transition may be ignored or cause | |
135 | .BR execve (2) | |
136 | to fail at SELinux's whim. (In particular, this is unlikely to work in | |
137 | conjunction with | |
cf8e0bae | 138 | .IR no_new_privs .) |
5600c405 AL |
139 | This is similar to |
140 | .BR runcon (1). | |
141 | .TP | |
b06c1ca6 | 142 | .BI \-\-apparmor\-profile " profile" |
cf8e0bae | 143 | Request a particular AppArmor profile (using a transition on exec). This will |
5600c405 AL |
144 | fail and cause |
145 | .BR setpriv (1) | |
146 | to abort if AppArmor is not in use, and the transition may be ignored or cause | |
147 | .BR execve (2) | |
148 | to fail at AppArmor's whim. | |
149 | .TP | |
5e43af7e | 150 | .BR \-V , " \-\-version" |
5600c405 AL |
151 | Display version information and exit. |
152 | .TP | |
5e43af7e | 153 | .BR \-h , " \-\-help" |
b4362b6f | 154 | Display help text and exit. |
5600c405 AL |
155 | .SH NOTES |
156 | If applying any specified option fails, | |
157 | .I program | |
158 | will not be run and | |
159 | .B setpriv | |
160 | will return with exit code 127. | |
161 | .PP | |
162 | Be careful with this tool \-\- it may have unexpected security consequences. | |
cf8e0bae BS |
163 | For example, setting no_new_privs and then execing a program that is |
164 | SELinux\-confined (as this tool would do) may prevent the SELinux | |
5600c405 AL |
165 | restrictions from taking effect. |
166 | .SH SEE ALSO | |
c424fd83 | 167 | .BR runuser (1), |
f053ff1e | 168 | .BR su (1), |
66083665 | 169 | .BR prctl (2), |
4a2ec98b | 170 | .BR capabilities (7) |
5600c405 AL |
171 | .SH AUTHOR |
172 | .MT luto@amacapital.net | |
173 | Andy Lutomirski | |
174 | .ME | |
175 | .SH AVAILABILITY | |
176 | The | |
177 | .B setpriv | |
178 | command is part of the util-linux package and is available from | |
d673b74e | 179 | .UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/ |
5600c405 AL |
180 | Linux Kernel Archive |
181 | .UE . |