[thirdparty/util-linux.git] / sys-utils / setpriv.1

.TH SETPRIV 1 "July 2014" "util-linux" "User Commands"
.SH NAME
setpriv \- run a program with different Linux privilege settings
.SH SYNOPSIS
.B setpriv
[options]
.I program
.RI [ arguments ]
.SH DESCRIPTION
Sets or queries various Linux privilege settings that are inherited across
.BR execve (2).
.SH OPTION
.TP
.B \-\-clear\-groups
Clear supplementary groups.
.TP
.BR \-d , " \-\-dump"
Dump current privilege state.  Can be specified more than once to show extra,
mostly useless, information.  Incompatible with all other options.
.TP
.B \-\-groups \fIgroup\fR...
Set supplementary groups.  The argument is a comma-separated list.
.TP
.BR \-\-inh-caps " (" + | \- ) \fIcap "...  or  " \-\-bounding\-set " (" + | \- ) \fIcap ...
Set the inheritable capabilities or the capability bounding set.  See
.BR capabilities (7).
The argument is a comma-separated list of
.BI + cap
and
.BI \- cap
entries, which add or remove an entry respectively.
.B +all
and
.B \-all
can be used to add or remove all caps.  The set of capabilities starts out as
the current inheritable set for
.B \-\-inh\-caps
and the current bounding set for
.BR \-\-bounding\-set .
If you drop something from the bounding set without also dropping it from the
inheritable set, you are likely to become confused.  Do not do that.
.TP
.B \-\-keep\-groups
Preserve supplementary groups.  Only useful in conjunction with
.BR \-\-rgid ,
.BR \-\-egid ", or"
.BR \-\-regid .
.TP
.BR \-\-list\-caps
List all known capabilities.  This option must be specified alone.
.TP
.B \-\-no-new-privs
Set the
.I no_new_privs
bit.  With this bit set,
.BR execve (2)
will not grant new privileges.  For example, the setuid and setgid bits as well
as file capabilities will be disabled.  (Executing binaries with these bits set
will still work, but they will not gain privileges.  Certain LSMs, especially
AppArmor, may result in failures to execute certain programs.)  This bit is
inherited by child processes and cannot be unset.  See
.BR prctl (2)
and
.IR Documentation/\:prctl/\:no_\:new_\:privs.txt
in the Linux kernel source.
.sp
The no_new_privs bit is supported since Linux 3.5.
.TP
.BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid"
Set the real, effective, or both gids.  The \fIgid\fR argument can be
given as textual group name.
.sp
For safety, you must specify one of
.BR \-\-clear-groups ,
.BR \-\-groups ", or"
.BR \-\-keep-groups
if you set any primary
.IR gid .
.TP
.BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid"
Set the real, effective, or both uids.  The \fIuid\fR argument can be
given as textual login name.
.sp
Setting a
.I uid
or
.I gid
does not change capabilities, although the exec call at the end might change
capabilities.  This means that, if you are root, you probably want to do
something like:
.sp
.B "        setpriv \-\-reuid=1000 \-\-regid=1000 \-\-caps=\-all"
.TP
.BR \-\-securebits " (" + | \- ) \fIsecurebit ...
Set or clear securebits.  The argument is a comma-separated list.
The valid securebits are
.IR noroot ,
.IR noroot_locked ,
.IR no_setuid_fixup ,
.IR no_setuid_fixup_locked ,
and
.IR keep_caps_locked .
.I keep_caps
is cleared by
.BR execve (2)
and is therefore not allowed.
.TP
.BI \-\-selinux-label " label"
Request a particular SELinux transition (using a transition on exec, not
dyntrans).  This will fail and cause
.BR setpriv (1)
to abort if SELinux is not in use, and the transition may be ignored or cause
.BR execve (2)
to fail at SELinux's whim.  (In particular, this is unlikely to work in
conjunction with
.IR no_new_privs .)
This is similar to
.BR runcon (1).
.TP
.BI \-\-apparmor-profile " profile"
Request a particular AppArmor profile (using a transition on exec).  This will
fail and cause
.BR setpriv (1)
to abort if AppArmor is not in use, and the transition may be ignored or cause
.BR execve (2)
to fail at AppArmor's whim.
.TP
.BR \-V , " \-\-version"
Display version information and exit.
.TP
.BR \-h , " \-\-help"
Display help text and exit.
.SH NOTES
If applying any specified option fails,
.I program
will not be run and
.B setpriv
will return with exit code 127.
.PP
Be careful with this tool \-\- it may have unexpected security consequences.
For example, setting no_new_privs and then execing a program that is
SELinux\-confined (as this tool would do) may prevent the SELinux
restrictions from taking effect.
.SH SEE ALSO
.BR prctl (2),
.BR capability (7)
.SH AUTHOR
.MT luto@amacapital.net
Andy Lutomirski
.ME
.SH AVAILABILITY
The
.B setpriv
command is part of the util-linux package and is available from
.UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
Linux Kernel Archive
.UE .
Commit	Line	Data
cf8e0bae	1	.TH SETPRIV 1 "July 2014" "util-linux" "User Commands"
5600c405 AL	2	.SH NAME
	3	setpriv \- run a program with different Linux privilege settings
	4	.SH SYNOPSIS
	5	.B setpriv
cf8e0bae BS	6	[options]
cf8e0bae BS	7	.I program
5600c405 AL	8	.RI [ arguments ]
	9	.SH DESCRIPTION
	10	Sets or queries various Linux privilege settings that are inherited across
	11	.BR execve (2).
	12	.SH OPTION
	13	.TP
5e43af7e BS	14	.B \-\-clear\-groups
	15	Clear supplementary groups.
	16	.TP
	17	.BR \-d , " \-\-dump"
cf8e0bae BS	18	Dump current privilege state. Can be specified more than once to show extra,
cf8e0bae BS	19	mostly useless, information. Incompatible with all other options.
5600c405	20	.TP
5e43af7e BS	21	.B \-\-groups \fIgroup\fR...
5e43af7e BS	22	Set supplementary groups. The argument is a comma-separated list.
5600c405	23	.TP
5e43af7e	24	.BR \-\-inh-caps " (" + \| \- ) \fIcap "... or " \-\-bounding\-set " (" + \| \- ) \fIcap ...
cf8e0bae	25	Set the inheritable capabilities or the capability bounding set. See
5600c405 AL	26	.BR capabilities (7).
5600c405 AL	27	The argument is a comma-separated list of
cf8e0bae	28	.BI + cap
5600c405	29	and
cf8e0bae	30	.BI \- cap
5600c405	31	entries, which add or remove an entry respectively.
cf8e0bae	32	.B +all
5600c405	33	and
cf8e0bae	34	.B \-all
5600c405 AL	35	can be used to add or remove all caps. The set of capabilities starts out as
5600c405 AL	36	the current inheritable set for
cf8e0bae	37	.B \-\-inh\-caps
5600c405	38	and the current bounding set for
cf8e0bae	39	.BR \-\-bounding\-set .
5600c405 AL	40	If you drop something from the bounding set without also dropping it from the
	41	inheritable set, you are likely to become confused. Do not do that.
	42	.TP
5e43af7e BS	43	.B \-\-keep\-groups
	44	Preserve supplementary groups. Only useful in conjunction with
	45	.BR \-\-rgid ,
	46	.BR \-\-egid ", or"
	47	.BR \-\-regid .
	48	.TP
5600c405	49	.BR \-\-list\-caps
cf8e0bae	50	List all known capabilities. This option must be specified alone.
5600c405	51	.TP
5e43af7e BS	52	.B \-\-no-new-privs
	53	Set the
	54	.I no_new_privs
	55	bit. With this bit set,
	56	.BR execve (2)
	57	will not grant new privileges. For example, the setuid and setgid bits as well
	58	as file capabilities will be disabled. (Executing binaries with these bits set
	59	will still work, but they will not gain privileges. Certain LSMs, especially
	60	AppArmor, may result in failures to execute certain programs.) This bit is
	61	inherited by child processes and cannot be unset. See
	62	.BR prctl (2)
	63	and
	64	.IR Documentation/\:prctl/\:no_\:new_\:privs.txt
	65	in the Linux kernel source.
	66	.sp
	67	The no_new_privs bit is supported since Linux 3.5.
	68	.TP
	69	.BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid"
	70	Set the real, effective, or both gids. The \fIgid\fR argument can be
	71	given as textual group name.
	72	.sp
	73	For safety, you must specify one of
	74	.BR \-\-clear-groups ,
	75	.BR \-\-groups ", or"
	76	.BR \-\-keep-groups
	77	if you set any primary
	78	.IR gid .
	79	.TP
	80	.BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid"
cf8e0bae	81	Set the real, effective, or both uids. The \fIuid\fR argument can be
637fa4c6	82	given as textual login name.
5e43af7e BS	83	.sp
5e43af7e BS	84	Setting a
5600c405 AL	85	.I uid
	86	or
	87	.I gid
	88	does not change capabilities, although the exec call at the end might change
	89	capabilities. This means that, if you are root, you probably want to do
	90	something like:
5e43af7e BS	91	.sp
5e43af7e BS	92	.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-caps=\-all"
5600c405	93	.TP
5e43af7e	94	.BR \-\-securebits " (" + \| \- ) \fIsecurebit ...
cf8e0bae BS	95	Set or clear securebits. The argument is a comma-separated list.
cf8e0bae BS	96	The valid securebits are
5600c405	97	.IR noroot ,
cf8e0bae BS	98	.IR noroot_locked ,
	99	.IR no_setuid_fixup ,
	100	.IR no_setuid_fixup_locked ,
5600c405	101	and
cf8e0bae BS	102	.IR keep_caps_locked .
cf8e0bae BS	103	.I keep_caps
5600c405 AL	104	is cleared by
	105	.BR execve (2)
	106	and is therefore not allowed.
	107	.TP
5e43af7e	108	.BI \-\-selinux-label " label"
cf8e0bae	109	Request a particular SELinux transition (using a transition on exec, not
5600c405 AL	110	dyntrans). This will fail and cause
	111	.BR setpriv (1)
	112	to abort if SELinux is not in use, and the transition may be ignored or cause
	113	.BR execve (2)
	114	to fail at SELinux's whim. (In particular, this is unlikely to work in
	115	conjunction with
cf8e0bae	116	.IR no_new_privs .)
5600c405 AL	117	This is similar to
	118	.BR runcon (1).
	119	.TP
5e43af7e	120	.BI \-\-apparmor-profile " profile"
cf8e0bae	121	Request a particular AppArmor profile (using a transition on exec). This will
5600c405 AL	122	fail and cause
	123	.BR setpriv (1)
	124	to abort if AppArmor is not in use, and the transition may be ignored or cause
	125	.BR execve (2)
	126	to fail at AppArmor's whim.
	127	.TP
5e43af7e	128	.BR \-V , " \-\-version"
5600c405 AL	129	Display version information and exit.
5600c405 AL	130	.TP
5e43af7e	131	.BR \-h , " \-\-help"
b4362b6f	132	Display help text and exit.
5600c405 AL	133	.SH NOTES
	134	If applying any specified option fails,
	135	.I program
	136	will not be run and
	137	.B setpriv
	138	will return with exit code 127.
	139	.PP
	140	Be careful with this tool \-\- it may have unexpected security consequences.
cf8e0bae BS	141	For example, setting no_new_privs and then execing a program that is
cf8e0bae BS	142	SELinux\-confined (as this tool would do) may prevent the SELinux
5600c405 AL	143	restrictions from taking effect.
5600c405 AL	144	.SH SEE ALSO
66083665	145	.BR prctl (2),
5600c405 AL	146	.BR capability (7)
	147	.SH AUTHOR
	148	.MT luto@amacapital.net
	149	Andy Lutomirski
	150	.ME
	151	.SH AVAILABILITY
	152	The
	153	.B setpriv
	154	command is part of the util-linux package and is available from
	155	.UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
	156	Linux Kernel Archive
	157	.UE .