]>
Commit | Line | Data |
---|---|---|
cf8e0bae | 1 | .TH SETPRIV 1 "July 2014" "util-linux" "User Commands" |
5600c405 AL |
2 | .SH NAME |
3 | setpriv \- run a program with different Linux privilege settings | |
4 | .SH SYNOPSIS | |
5 | .B setpriv | |
cf8e0bae BS |
6 | [options] |
7 | .I program | |
5600c405 AL |
8 | .RI [ arguments ] |
9 | .SH DESCRIPTION | |
10 | Sets or queries various Linux privilege settings that are inherited across | |
11 | .BR execve (2). | |
12 | .SH OPTION | |
13 | .TP | |
5e43af7e BS |
14 | .B \-\-clear\-groups |
15 | Clear supplementary groups. | |
16 | .TP | |
17 | .BR \-d , " \-\-dump" | |
cf8e0bae BS |
18 | Dump current privilege state. Can be specified more than once to show extra, |
19 | mostly useless, information. Incompatible with all other options. | |
5600c405 | 20 | .TP |
5e43af7e BS |
21 | .B \-\-groups \fIgroup\fR... |
22 | Set supplementary groups. The argument is a comma-separated list. | |
5600c405 | 23 | .TP |
b06c1ca6 | 24 | .BR \-\-inh\-caps " (" + | \- ) \fIcap "... or " \-\-bounding\-set " (" + | \- ) \fIcap ... |
cf8e0bae | 25 | Set the inheritable capabilities or the capability bounding set. See |
5600c405 AL |
26 | .BR capabilities (7). |
27 | The argument is a comma-separated list of | |
cf8e0bae | 28 | .BI + cap |
5600c405 | 29 | and |
cf8e0bae | 30 | .BI \- cap |
5600c405 | 31 | entries, which add or remove an entry respectively. |
cf8e0bae | 32 | .B +all |
5600c405 | 33 | and |
cf8e0bae | 34 | .B \-all |
5600c405 AL |
35 | can be used to add or remove all caps. The set of capabilities starts out as |
36 | the current inheritable set for | |
cf8e0bae | 37 | .B \-\-inh\-caps |
5600c405 | 38 | and the current bounding set for |
cf8e0bae | 39 | .BR \-\-bounding\-set . |
5600c405 AL |
40 | If you drop something from the bounding set without also dropping it from the |
41 | inheritable set, you are likely to become confused. Do not do that. | |
42 | .TP | |
5e43af7e BS |
43 | .B \-\-keep\-groups |
44 | Preserve supplementary groups. Only useful in conjunction with | |
45 | .BR \-\-rgid , | |
46 | .BR \-\-egid ", or" | |
47 | .BR \-\-regid . | |
48 | .TP | |
5600c405 | 49 | .BR \-\-list\-caps |
cf8e0bae | 50 | List all known capabilities. This option must be specified alone. |
5600c405 | 51 | .TP |
b06c1ca6 | 52 | .B \-\-no\-new\-privs |
5e43af7e BS |
53 | Set the |
54 | .I no_new_privs | |
55 | bit. With this bit set, | |
56 | .BR execve (2) | |
57 | will not grant new privileges. For example, the setuid and setgid bits as well | |
58 | as file capabilities will be disabled. (Executing binaries with these bits set | |
59 | will still work, but they will not gain privileges. Certain LSMs, especially | |
60 | AppArmor, may result in failures to execute certain programs.) This bit is | |
61 | inherited by child processes and cannot be unset. See | |
62 | .BR prctl (2) | |
63 | and | |
64 | .IR Documentation/\:prctl/\:no_\:new_\:privs.txt | |
65 | in the Linux kernel source. | |
66 | .sp | |
67 | The no_new_privs bit is supported since Linux 3.5. | |
68 | .TP | |
69 | .BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid" | |
70 | Set the real, effective, or both gids. The \fIgid\fR argument can be | |
71 | given as textual group name. | |
72 | .sp | |
73 | For safety, you must specify one of | |
b06c1ca6 | 74 | .BR \-\-clear\-groups , |
5e43af7e | 75 | .BR \-\-groups ", or" |
b06c1ca6 | 76 | .BR \-\-keep\-groups |
5e43af7e BS |
77 | if you set any primary |
78 | .IR gid . | |
79 | .TP | |
80 | .BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid" | |
cf8e0bae | 81 | Set the real, effective, or both uids. The \fIuid\fR argument can be |
637fa4c6 | 82 | given as textual login name. |
5e43af7e BS |
83 | .sp |
84 | Setting a | |
5600c405 AL |
85 | .I uid |
86 | or | |
87 | .I gid | |
88 | does not change capabilities, although the exec call at the end might change | |
89 | capabilities. This means that, if you are root, you probably want to do | |
90 | something like: | |
5e43af7e BS |
91 | .sp |
92 | .B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-caps=\-all" | |
5600c405 | 93 | .TP |
5e43af7e | 94 | .BR \-\-securebits " (" + | \- ) \fIsecurebit ... |
cf8e0bae BS |
95 | Set or clear securebits. The argument is a comma-separated list. |
96 | The valid securebits are | |
5600c405 | 97 | .IR noroot , |
cf8e0bae BS |
98 | .IR noroot_locked , |
99 | .IR no_setuid_fixup , | |
100 | .IR no_setuid_fixup_locked , | |
5600c405 | 101 | and |
cf8e0bae BS |
102 | .IR keep_caps_locked . |
103 | .I keep_caps | |
5600c405 AL |
104 | is cleared by |
105 | .BR execve (2) | |
106 | and is therefore not allowed. | |
107 | .TP | |
b06c1ca6 | 108 | .BI \-\-selinux\-label " label" |
cf8e0bae | 109 | Request a particular SELinux transition (using a transition on exec, not |
5600c405 AL |
110 | dyntrans). This will fail and cause |
111 | .BR setpriv (1) | |
112 | to abort if SELinux is not in use, and the transition may be ignored or cause | |
113 | .BR execve (2) | |
114 | to fail at SELinux's whim. (In particular, this is unlikely to work in | |
115 | conjunction with | |
cf8e0bae | 116 | .IR no_new_privs .) |
5600c405 AL |
117 | This is similar to |
118 | .BR runcon (1). | |
119 | .TP | |
b06c1ca6 | 120 | .BI \-\-apparmor\-profile " profile" |
cf8e0bae | 121 | Request a particular AppArmor profile (using a transition on exec). This will |
5600c405 AL |
122 | fail and cause |
123 | .BR setpriv (1) | |
124 | to abort if AppArmor is not in use, and the transition may be ignored or cause | |
125 | .BR execve (2) | |
126 | to fail at AppArmor's whim. | |
127 | .TP | |
5e43af7e | 128 | .BR \-V , " \-\-version" |
5600c405 AL |
129 | Display version information and exit. |
130 | .TP | |
5e43af7e | 131 | .BR \-h , " \-\-help" |
b4362b6f | 132 | Display help text and exit. |
5600c405 AL |
133 | .SH NOTES |
134 | If applying any specified option fails, | |
135 | .I program | |
136 | will not be run and | |
137 | .B setpriv | |
138 | will return with exit code 127. | |
139 | .PP | |
140 | Be careful with this tool \-\- it may have unexpected security consequences. | |
cf8e0bae BS |
141 | For example, setting no_new_privs and then execing a program that is |
142 | SELinux\-confined (as this tool would do) may prevent the SELinux | |
5600c405 AL |
143 | restrictions from taking effect. |
144 | .SH SEE ALSO | |
66083665 | 145 | .BR prctl (2), |
5600c405 AL |
146 | .BR capability (7) |
147 | .SH AUTHOR | |
148 | .MT luto@amacapital.net | |
149 | Andy Lutomirski | |
150 | .ME | |
151 | .SH AVAILABILITY | |
152 | The | |
153 | .B setpriv | |
154 | command is part of the util-linux package and is available from | |
155 | .UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/ | |
156 | Linux Kernel Archive | |
157 | .UE . |