-.TH SETPRIV 1 "January 2013" "util-linux" "User Commands"
+.TH SETPRIV 1 "July 2014" "util-linux" "User Commands"
.SH NAME
setpriv \- run a program with different Linux privilege settings
.SH SYNOPSIS
.B setpriv
-.RI [ options ]
-program
+[options]
+.I program
.RI [ arguments ]
.SH DESCRIPTION
Sets or queries various Linux privilege settings that are inherited across
.SH OPTION
.TP
\fB\-d\fR, \fB\-\-dump\fR
-Dumps current privilege state. Specify more than once to show extra, mostly
-useless, information. Incompatible with all other options.
+Dump current privilege state. Can be specified more than once to show extra,
+mostly useless, information. Incompatible with all other options.
.TP
\fB\-\-no\-new\-privs\fR
-Sets the
-.I no_\:new_\:privs
+Set the
+.I no_new_privs
bit. With this bit set,
.BR execve (2)
will not grant new privileges. For example, the setuid and setgid bits as well
as file capabilities will be disabled. (Executing binaries with these bits set
-will still work, but they will not gain privilege. Certain LSMs, especially
-AppArmor, may result in failures to execute certain programs.) This bit is
+will still work, but they will not gain privileges. Certain LSMs, especially
+AppArmor, may result in failures to execute certain programs.) This bit is
inherited by child processes and cannot be unset. See
.BR prctl (2)
and
.IR Documentation/\:prctl/\:no_\:new_\:privs.txt
in the Linux kernel source.
.IP
-The no_\:new_\:privs bit is supported since Linux 3.5.
+The no_new_privs bit is supported since Linux 3.5.
.TP
-\fB\-\-inh\-caps\fR \fI(+|\-)cap\fR,\fI...\fR or \fB\-\-bounding\-set\fR \fI(+|\-)cap\fR,\fI...\fR
-Sets inheritable capabilities or capability bounding set. See
+.B \-\-inh\-caps \fR(\fB+\fR|\fB\-\fR)\fIcap\fR... or \fB\-\-bounding\-set \fR(\fB+\fR|\fB\-\fR)\fIcap\fR...
+Set the inheritable capabilities or the capability bounding set. See
.BR capabilities (7).
The argument is a comma-separated list of
-.I +cap
+.BI + cap
and
-.I \-cap
+.BI \- cap
entries, which add or remove an entry respectively.
-.I +all
+.B +all
and
-.I \-all
+.B \-all
can be used to add or remove all caps. The set of capabilities starts out as
the current inheritable set for
-.B \-\-\:inh\-\:caps
+.B \-\-inh\-caps
and the current bounding set for
-.BR \-\-\:bounding\-\:set .
+.BR \-\-bounding\-set .
If you drop something from the bounding set without also dropping it from the
inheritable set, you are likely to become confused. Do not do that.
.TP
.BR \-\-list\-caps
-Lists all known capabilities. Must be specified alone.
+List all known capabilities. This option must be specified alone.
.TP
\fB\-\-ruid\fR \fIuid\fR, \fB\-\-euid\fR \fIuid\fR, \fB\-\-reuid\fR \fIuid\fR
-Sets the real, effective, or both \fIuid\fRs. The uid argument can be
+Set the real, effective, or both uids. The \fIuid\fR argument can be
given as textual login name.
.IP
Setting
capabilities. This means that, if you are root, you probably want to do
something like:
.IP
-\-\-reuid=1000 \-\-\:regid=1000 \-\-\:caps=\-\:all
+\-\-reuid=1000 \-\-regid=1000 \-\-caps=\-all
.TP
\fB\-\-rgid\fR \fIgid\fR, \fB\-\-egid\fR \fIgid\fR, \fB\-\-regid\fR \fIgid\fR
-Sets the real, effective, or both \fIgid\fRs. The gid argument can be
+Set the real, effective, or both gids. The \fIgid\fR argument can be
given as textual group name.
.IP
-For safety, you must specify one of \-\-\:keep\-\:groups,
-\-\-\:clear\-\:groups, or \-\-\:groups if you set any primary
+For safety, you must specify one of
+.BR \-\-keep\-groups ,
+.BR \-\-clear\-groups ", or"
+.B \-\-groups
+if you set any primary
.IR gid .
.TP
-.BR \-\-clear\-groups
-Clears supplementary groups.
+.B \-\-clear\-groups
+Clear supplementary groups.
.TP
-\fB\-\-keep\-groups\fR
-Preserves supplementary groups. Only useful in conjunction with \-\-rgid,
-\-\-egid, or \-\-regid.
+.B \-\-keep\-groups
+Preserve supplementary groups. Only useful in conjunction with
+.BR \-\-rgid ,
+.BR \-\-egid ", or"
+.BR \-\-regid .
.TP
-\fB\-\-groups\fR \fIgroup\fR,\fI...\fR
-Sets supplementary groups.
+.B \-\-groups \fIgroup\fR...
+Set supplementary groups. The argument is a comma-separated list.
.TP
-\fB\-\-securebits\fR \fI(+|\-)securebit\fR,\fI...\fR
-Sets or clears securebits. The valid securebits are
+.B \-\-securebits \fR(\fB+\fR|\fB\-\fR)\fIsecurebit\fR...
+Set or clear securebits. The argument is a comma-separated list.
+The valid securebits are
.IR noroot ,
-.IR noroot_\:locked ,
-.IR no_\:setuid_\:fixup ,
-.IR no_\:setuid_\:fixup_\:locked ,
+.IR noroot_locked ,
+.IR no_setuid_fixup ,
+.IR no_setuid_fixup_locked ,
and
-.IR keep_\:caps_\:locked .
-.I keep_\:caps
+.IR keep_caps_locked .
+.I keep_caps
is cleared by
.BR execve (2)
and is therefore not allowed.
.TP
\fB\-\-selinux\-label\fR \fIlabel\fR
-Requests a particular SELinux transition (using a transition on exec, not
+Request a particular SELinux transition (using a transition on exec, not
dyntrans). This will fail and cause
.BR setpriv (1)
to abort if SELinux is not in use, and the transition may be ignored or cause
.BR execve (2)
to fail at SELinux's whim. (In particular, this is unlikely to work in
conjunction with
-.IR no_\:new_\:privs .)
+.IR no_new_privs .)
This is similar to
.BR runcon (1).
.TP
\fB\-\-apparmor\-profile\fR \fIprofile\fR
-Requests a particular AppArmor profile (using a transition on exec). This will
+Request a particular AppArmor profile (using a transition on exec). This will
fail and cause
.BR setpriv (1)
to abort if AppArmor is not in use, and the transition may be ignored or cause
will return with exit code 127.
.PP
Be careful with this tool \-\- it may have unexpected security consequences.
-For example, setting no_\:new_\:privs and then execing a program that is
-SELinux\-\:confined (as this tool would do) may prevent the SELinux
+For example, setting no_new_privs and then execing a program that is
+SELinux\-confined (as this tool would do) may prevent the SELinux
restrictions from taking effect.
.SH SEE ALSO
.BR prctl (2),
.\" Process this file with
.\" groff -man -Tascii lscpu.1
.\"
-.TH UNSHARE 1 "July 2013" "util-linux" "User Commands"
+.TH UNSHARE 1 "July 2014" "util-linux" "User Commands"
.SH NAME
unshare \- run program with some namespaces unshared from parent
.SH SYNOPSIS
.B unshare
-.RI [ options ]
+[options]
.I program
.RI [ arguments ]
.SH DESCRIPTION
Unshares the indicated namespaces from the parent process and then executes
-the specified program. The namespaces to be unshared are indicated via
+the specified \fIprogram\fR. The namespaces to be unshared are indicated via
options. Unshareable namespaces are:
.TP
.BR "mount namespace"
(\fBCLONE_NEWNS\fP flag), except for filesystems which are explicitly marked as
shared (with \fBmount --make-shared\fP; see \fI/proc/self/mountinfo\fP for the
\fBshared\fP flags).
-
+.sp
It's recommended to use \fBmount --make-rprivate\fP or \fBmount --make-rslave\fP
after \fBunshare --mount\fP to make sure that mountpoints in the new namespace
-are really unshared from parental namespace.
+are really unshared from the parental namespace.
.TP
.BR "UTS namespace"
Setting hostname or domainname will not affect the rest of the system.
running it directly. This is useful when creating a new pid namespace.
.TP
.BR \-\-mount-proc "[=\fImountpoint\fP]"
-Just before running the program, mount the proc filesystem at the \fImountpoint\fP
+Just before running the program, mount the proc filesystem at \fImountpoint\fP
(default is /proc). This is useful when creating a new pid namespace. It also
implies creating a new mount namespace since the /proc mount would otherwise
-mess up existing programs on the system. The new proc filesystem is explicitly
+mess up existing programs on the system. The new proc filesystem is explicitly
mounted as private (by MS_PRIVATE|MS_REC).
.TP
.BR \-r , " \-\-map-root-user"
-Run the program only after current effective user and group ID have been mapped to
-superuser UID and GID in newly created user namespace. This makes it possible to
-conveniently gain capabilities needed to manage various aspects of newly created
-namespaces (such as configure interfaces in network namespace or mount filesystems in
-mount) even when run unprivileged. As a convenience feature, it does not support
+Run the program only after the current effective user and group IDs have been mapped to
+the superuser UID and GID in the newly created user namespace. This makes it possible to
+conveniently gain capabilities needed to manage various aspects of the newly created
+namespaces (such as configuring interfaces in the network namespace or mounting filesystems in
+the mount namespace) even when run unprivileged. As a mere convenience feature, it does not support
more sophisticated use cases, such as mapping multiple ranges of UIDs and GIDs.
.SH SEE ALSO
.BR unshare (2),
projects / thirdparty / util-linux.git / commitdiff
