]>
Commit | Line | Data |
---|---|---|
cf8e0bae | 1 | .TH SETPRIV 1 "July 2014" "util-linux" "User Commands" |
5600c405 AL |
2 | .SH NAME |
3 | setpriv \- run a program with different Linux privilege settings | |
4 | .SH SYNOPSIS | |
5 | .B setpriv | |
cf8e0bae BS |
6 | [options] |
7 | .I program | |
5600c405 AL |
8 | .RI [ arguments ] |
9 | .SH DESCRIPTION | |
10 | Sets or queries various Linux privilege settings that are inherited across | |
11 | .BR execve (2). | |
c424fd83 | 12 | .PP |
64eca640 SM |
13 | In comparison to |
14 | .BR su (1) | |
15 | and | |
16 | .BR runuser (1), | |
17 | .BR setpriv (1) | |
18 | neither uses PAM, nor does it prompt for a password. | |
1aed71e5 | 19 | It is a simple, non-set-user-ID wrapper around |
64eca640 SM |
20 | .BR execve (2), |
21 | and can be used to drop privileges in the same way as | |
22 | .BR setuidgid (8) | |
23 | from | |
24 | .BR daemontools , | |
25 | .BR chpst (8) | |
26 | from | |
27 | .BR runit , | |
28 | or similar tools shipped by other service managers. | |
5600c405 AL |
29 | .SH OPTION |
30 | .TP | |
5e43af7e BS |
31 | .B \-\-clear\-groups |
32 | Clear supplementary groups. | |
33 | .TP | |
34 | .BR \-d , " \-\-dump" | |
cf8e0bae BS |
35 | Dump current privilege state. Can be specified more than once to show extra, |
36 | mostly useless, information. Incompatible with all other options. | |
5600c405 | 37 | .TP |
5e43af7e | 38 | .B \-\-groups \fIgroup\fR... |
85c15c1f | 39 | Set supplementary groups. The argument is a comma-separated list of GIDs or names. |
5600c405 | 40 | .TP |
0c92194e PS |
41 | .BR \-\-inh\-caps " (" + | \- ) \fIcap "... or " \-\-ambient-caps " (" + | \- ) \fIcap "... or " \-\-bounding\-set " (" + | \- ) \fIcap ... |
42 | Set the inheritable capabilities, ambient capabilities or the capability bounding set. See | |
5600c405 AL |
43 | .BR capabilities (7). |
44 | The argument is a comma-separated list of | |
cf8e0bae | 45 | .BI + cap |
5600c405 | 46 | and |
cf8e0bae | 47 | .BI \- cap |
55b3fe78 PS |
48 | entries, which add or remove an entry respectively. \fIcap\fR can either be a |
49 | human-readable name as seen in | |
50 | .BR capabilities (7) | |
51 | without the \fIcap_\fR prefix or of the format | |
52 | .BI cap_N , | |
53 | where \fIN\fR is the internal capability index used by Linux. | |
cf8e0bae | 54 | .B +all |
5600c405 | 55 | and |
cf8e0bae | 56 | .B \-all |
5600c405 AL |
57 | can be used to add or remove all caps. The set of capabilities starts out as |
58 | the current inheritable set for | |
0c92194e PS |
59 | .BR \-\-inh\-caps , |
60 | the current ambient set for | |
61 | .B \-\-ambient\-caps | |
5600c405 | 62 | and the current bounding set for |
cf8e0bae | 63 | .BR \-\-bounding\-set . |
5600c405 AL |
64 | If you drop something from the bounding set without also dropping it from the |
65 | inheritable set, you are likely to become confused. Do not do that. | |
66 | .TP | |
5e43af7e BS |
67 | .B \-\-keep\-groups |
68 | Preserve supplementary groups. Only useful in conjunction with | |
69 | .BR \-\-rgid , | |
70 | .BR \-\-egid ", or" | |
71 | .BR \-\-regid . | |
72 | .TP | |
94826d0d SS |
73 | .B \-\-init\-groups |
74 | Initialize supplementary groups using | |
75 | .BR initgroups "(3)." | |
76 | Only useful in conjunction with | |
0bb7e904 | 77 | .B \-\-ruid |
94826d0d SS |
78 | or |
79 | .BR \-\-reuid . | |
80 | .TP | |
0bb7e904 | 81 | .B \-\-list\-caps |
cf8e0bae | 82 | List all known capabilities. This option must be specified alone. |
5600c405 | 83 | .TP |
b06c1ca6 | 84 | .B \-\-no\-new\-privs |
5e43af7e BS |
85 | Set the |
86 | .I no_new_privs | |
87 | bit. With this bit set, | |
88 | .BR execve (2) | |
aedd46f6 MK |
89 | will not grant new privileges. |
90 | For example, the set-user-ID and set-group-ID bits as well | |
5e43af7e BS |
91 | as file capabilities will be disabled. (Executing binaries with these bits set |
92 | will still work, but they will not gain privileges. Certain LSMs, especially | |
93 | AppArmor, may result in failures to execute certain programs.) This bit is | |
94 | inherited by child processes and cannot be unset. See | |
95 | .BR prctl (2) | |
96 | and | |
0bb7e904 | 97 | .I Documentation/\:prctl/\:no_\:new_\:privs.txt |
5e43af7e BS |
98 | in the Linux kernel source. |
99 | .sp | |
100 | The no_new_privs bit is supported since Linux 3.5. | |
101 | .TP | |
102 | .BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid" | |
a72fa61a | 103 | Set the real, effective, or both GIDs. The \fIgid\fR argument can be |
5e43af7e BS |
104 | given as textual group name. |
105 | .sp | |
106 | For safety, you must specify one of | |
b06c1ca6 | 107 | .BR \-\-clear\-groups , |
a7e6a6b4 SM |
108 | .BR \-\-groups , |
109 | .BR \-\-keep\-groups ", or" | |
0bb7e904 | 110 | .B \-\-init\-groups |
5e43af7e BS |
111 | if you set any primary |
112 | .IR gid . | |
113 | .TP | |
114 | .BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid" | |
a72fa61a | 115 | Set the real, effective, or both UIDs. The \fIuid\fR argument can be |
637fa4c6 | 116 | given as textual login name. |
5e43af7e BS |
117 | .sp |
118 | Setting a | |
5600c405 AL |
119 | .I uid |
120 | or | |
121 | .I gid | |
122 | does not change capabilities, although the exec call at the end might change | |
123 | capabilities. This means that, if you are root, you probably want to do | |
124 | something like: | |
5e43af7e | 125 | .sp |
35e953e0 | 126 | .B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-inh\-caps=\-all" |
5600c405 | 127 | .TP |
5e43af7e | 128 | .BR \-\-securebits " (" + | \- ) \fIsecurebit ... |
cf8e0bae BS |
129 | Set or clear securebits. The argument is a comma-separated list. |
130 | The valid securebits are | |
5600c405 | 131 | .IR noroot , |
cf8e0bae BS |
132 | .IR noroot_locked , |
133 | .IR no_setuid_fixup , | |
134 | .IR no_setuid_fixup_locked , | |
5600c405 | 135 | and |
cf8e0bae BS |
136 | .IR keep_caps_locked . |
137 | .I keep_caps | |
5600c405 AL |
138 | is cleared by |
139 | .BR execve (2) | |
140 | and is therefore not allowed. | |
141 | .TP | |
23f54ce7 PS |
142 | .BR "\-\-pdeathsig keep" | clear | <signal> |
143 | Keep, clear or set the parent death signal. Some LSMs, most notably SELinux and | |
144 | AppArmor, clear the signal when the process' credentials change. Using | |
145 | \fB--pdeathsig keep\fR will restore the parent death signal after changing | |
146 | credentials to remedy that situation. | |
147 | .TP | |
b06c1ca6 | 148 | .BI \-\-selinux\-label " label" |
cf8e0bae | 149 | Request a particular SELinux transition (using a transition on exec, not |
5600c405 AL |
150 | dyntrans). This will fail and cause |
151 | .BR setpriv (1) | |
152 | to abort if SELinux is not in use, and the transition may be ignored or cause | |
153 | .BR execve (2) | |
154 | to fail at SELinux's whim. (In particular, this is unlikely to work in | |
155 | conjunction with | |
cf8e0bae | 156 | .IR no_new_privs .) |
5600c405 AL |
157 | This is similar to |
158 | .BR runcon (1). | |
159 | .TP | |
b06c1ca6 | 160 | .BI \-\-apparmor\-profile " profile" |
cf8e0bae | 161 | Request a particular AppArmor profile (using a transition on exec). This will |
5600c405 AL |
162 | fail and cause |
163 | .BR setpriv (1) | |
164 | to abort if AppArmor is not in use, and the transition may be ignored or cause | |
165 | .BR execve (2) | |
166 | to fail at AppArmor's whim. | |
167 | .TP | |
89f95425 KZ |
168 | .BI \-\-reset\-env |
169 | Clears all the environment variables except TERM; initializes the environment variables HOME, SHELL, USER, LOGNAME | |
170 | according to the user's passwd entry; sets PATH to \fI/usr/local/bin:/bin:/usr/bin\fR for a regual user and to | |
171 | \fI/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\fR for root. | |
172 | .sp | |
173 | The environment variable PATH may be different on systems where /bin and /sbin | |
174 | are merged into /usr. The environment variable SHELL defaults to \fI/bin/sh\fR if none is given in the user's | |
175 | passwd entry. | |
176 | .TP | |
5e43af7e | 177 | .BR \-V , " \-\-version" |
5600c405 AL |
178 | Display version information and exit. |
179 | .TP | |
5e43af7e | 180 | .BR \-h , " \-\-help" |
b4362b6f | 181 | Display help text and exit. |
5600c405 AL |
182 | .SH NOTES |
183 | If applying any specified option fails, | |
184 | .I program | |
185 | will not be run and | |
186 | .B setpriv | |
187 | will return with exit code 127. | |
188 | .PP | |
189 | Be careful with this tool \-\- it may have unexpected security consequences. | |
cf8e0bae BS |
190 | For example, setting no_new_privs and then execing a program that is |
191 | SELinux\-confined (as this tool would do) may prevent the SELinux | |
5600c405 | 192 | restrictions from taking effect. |
1aed71e5 SM |
193 | .SH EXAMPLE |
194 | If you're looking for behaviour similar to | |
195 | .BR su (1)/ runuser "(1), or " sudo (8) | |
196 | (without the | |
197 | .B -g | |
198 | option), try something like: | |
199 | .sp | |
200 | .B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-init\-groups" | |
201 | .PP | |
202 | If you want to mimic daemontools' | |
203 | .BR setuid (8), | |
204 | try: | |
205 | .sp | |
206 | .B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-clear\-groups" | |
5600c405 | 207 | .SH SEE ALSO |
c424fd83 | 208 | .BR runuser (1), |
f053ff1e | 209 | .BR su (1), |
66083665 | 210 | .BR prctl (2), |
4a2ec98b | 211 | .BR capabilities (7) |
5600c405 AL |
212 | .SH AUTHOR |
213 | .MT luto@amacapital.net | |
214 | Andy Lutomirski | |
215 | .ME | |
216 | .SH AVAILABILITY | |
217 | The | |
218 | .B setpriv | |
219 | command is part of the util-linux package and is available from | |
d673b74e | 220 | .UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/ |
5600c405 AL |
221 | Linux Kernel Archive |
222 | .UE . |