[thirdparty/util-linux.git] / sys-utils / setpriv.1

.TH SETPRIV 1 "July 2014" "util-linux" "User Commands"
.SH NAME
setpriv \- run a program with different Linux privilege settings
.SH SYNOPSIS
.B setpriv
[options]
.I program
.RI [ arguments ]
.SH DESCRIPTION
Sets or queries various Linux privilege settings that are inherited across
.BR execve (2).
.PP
In comparison to
.BR su (1)
and
.BR runuser (1),
.BR setpriv (1)
neither uses PAM, nor does it prompt for a password.
It is a simple, non-set-user-ID wrapper around
.BR execve (2),
and can be used to drop privileges in the same way as
.BR setuidgid (8)
from
.BR daemontools ,
.BR chpst (8)
from
.BR runit ,
or similar tools shipped by other service managers.
.SH OPTIONS
.TP
.B \-\-clear\-groups
Clear supplementary groups.
.TP
.BR \-d , " \-\-dump"
Dump current privilege state.  Can be specified more than once to show extra,
mostly useless, information.  Incompatible with all other options.
.TP
.B \-\-groups \fIgroup\fR...
Set supplementary groups.  The argument is a comma-separated list of GIDs or names.
.TP
.BR \-\-inh\-caps " (" + | \- ) \fIcap "...  or  " \-\-ambient-caps " (" + | \- ) \fIcap "...  or  " \-\-bounding\-set " (" + | \- ) \fIcap ...
Set the inheritable capabilities, ambient capabilities or the capability bounding set.  See
.BR capabilities (7).
The argument is a comma-separated list of
.BI + cap
and
.BI \- cap
entries, which add or remove an entry respectively. \fIcap\fR can either be a
human-readable name as seen in
.BR capabilities (7)
without the \fIcap_\fR prefix or of the format
.BI cap_N ,
where \fIN\fR is the internal capability index used by Linux.
.B +all
and
.B \-all
can be used to add or remove all caps.  The set of capabilities starts out as
the current inheritable set for
.BR \-\-inh\-caps ,
the current ambient set for
.B \-\-ambient\-caps
and the current bounding set for
.BR \-\-bounding\-set .
If you drop something from the bounding set without also dropping it from the
inheritable set, you are likely to become confused.  Do not do that.
.TP
.B \-\-keep\-groups
Preserve supplementary groups.  Only useful in conjunction with
.BR \-\-rgid ,
.BR \-\-egid ", or"
.BR \-\-regid .
.TP
.B \-\-init\-groups
Initialize supplementary groups using
.BR initgroups "(3)."
Only useful in conjunction with
.B \-\-ruid
or
.BR \-\-reuid .
.TP
.B \-\-list\-caps
List all known capabilities.  This option must be specified alone.
.TP
.B \-\-no\-new\-privs
Set the
.I no_new_privs
bit.  With this bit set,
.BR execve (2)
will not grant new privileges.
For example, the set-user-ID and set-group-ID bits as well
as file capabilities will be disabled.  (Executing binaries with these bits set
will still work, but they will not gain privileges.  Certain LSMs, especially
AppArmor, may result in failures to execute certain programs.)  This bit is
inherited by child processes and cannot be unset.  See
.BR prctl (2)
and
.I Documentation/\:prctl/\:no_\:new_\:privs.txt
in the Linux kernel source.
.sp
The no_new_privs bit is supported since Linux 3.5.
.TP
.BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid"
Set the real, effective, or both GIDs.  The \fIgid\fR argument can be
given as textual group name.
.sp
For safety, you must specify one of
.BR \-\-clear\-groups ,
.BR \-\-groups ,
.BR \-\-keep\-groups ", or"
.B \-\-init\-groups
if you set any primary
.IR gid .
.TP
.BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid"
Set the real, effective, or both UIDs.  The \fIuid\fR argument can be
given as textual login name.
.sp
Setting a
.I uid
or
.I gid
does not change capabilities, although the exec call at the end might change
capabilities.  This means that, if you are root, you probably want to do
something like:
.sp
.B "        setpriv \-\-reuid=1000 \-\-regid=1000 \-\-inh\-caps=\-all"
.TP
.BR \-\-securebits " (" + | \- ) \fIsecurebit ...
Set or clear securebits.  The argument is a comma-separated list.
The valid securebits are
.IR noroot ,
.IR noroot_locked ,
.IR no_setuid_fixup ,
.IR no_setuid_fixup_locked ,
and
.IR keep_caps_locked .
.I keep_caps
is cleared by
.BR execve (2)
and is therefore not allowed.
.TP
.BR "\-\-pdeathsig keep" | clear | <signal>
Keep, clear or set the parent death signal.  Some LSMs, most notably SELinux and
AppArmor, clear the signal when the process' credentials change.  Using
\fB\-\-pdeathsig keep\fR will restore the parent death signal after changing
credentials to remedy that situation.
.TP
.BI \-\-selinux\-label " label"
Request a particular SELinux transition (using a transition on exec, not
dyntrans).  This will fail and cause
.BR setpriv (1)
to abort if SELinux is not in use, and the transition may be ignored or cause
.BR execve (2)
to fail at SELinux's whim.  (In particular, this is unlikely to work in
conjunction with
.IR no_new_privs .)
This is similar to
.BR runcon (1).
.TP
.BI \-\-apparmor\-profile " profile"
Request a particular AppArmor profile (using a transition on exec).  This will
fail and cause
.BR setpriv (1)
to abort if AppArmor is not in use, and the transition may be ignored or cause
.BR execve (2)
to fail at AppArmor's whim.
.TP
.B \-\-reset\-env
Clears all the environment variables except TERM; initializes the environment variables HOME, SHELL, USER, LOGNAME
according to the user's passwd entry; sets PATH to \fI/usr/local/bin:/bin:/usr/bin\fR for a regual user and to
\fI/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\fR for root.
.sp
The environment variable PATH may be different on systems where /bin and /sbin
are merged into /usr.  The environment variable SHELL defaults to \fI/bin/sh\fR if none is given in the user's
passwd entry.
.TP
.BR \-V , " \-\-version"
Display version information and exit.
.TP
.BR \-h , " \-\-help"
Display help text and exit.
.SH NOTES
If applying any specified option fails,
.I program
will not be run and
.B setpriv
will return with exit status 127.
.PP
Be careful with this tool \-\- it may have unexpected security consequences.
For example, setting no_new_privs and then execing a program that is
SELinux\-confined (as this tool would do) may prevent the SELinux
restrictions from taking effect.
.SH EXAMPLE
If you're looking for behaviour similar to
.BR su (1)/ runuser "(1), or " sudo (8)
(without the
.B \-g
option), try something like:
.sp
.B "    setpriv \-\-reuid=1000 \-\-regid=1000 \-\-init\-groups"
.PP
If you want to mimic daemontools'
.BR setuid (8),
try:
.sp
.B "    setpriv \-\-reuid=1000 \-\-regid=1000 \-\-clear\-groups"
.SH SEE ALSO
.BR runuser (1),
.BR su (1),
.BR prctl (2),
.BR capabilities (7)
.SH AUTHORS
.MT luto@amacapital.net
Andy Lutomirski
.ME
.SH AVAILABILITY
The
.B setpriv
command is part of the util-linux package and is available from
.UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
Linux Kernel Archive
.UE .
Commit	Line	Data
cf8e0bae	1	.TH SETPRIV 1 "July 2014" "util-linux" "User Commands"
5600c405 AL	2	.SH NAME
	3	setpriv \- run a program with different Linux privilege settings
	4	.SH SYNOPSIS
	5	.B setpriv
cf8e0bae BS	6	[options]
cf8e0bae BS	7	.I program
5600c405 AL	8	.RI [ arguments ]
	9	.SH DESCRIPTION
	10	Sets or queries various Linux privilege settings that are inherited across
	11	.BR execve (2).
c424fd83	12	.PP
64eca640 SM	13	In comparison to
	14	.BR su (1)
	15	and
	16	.BR runuser (1),
	17	.BR setpriv (1)
	18	neither uses PAM, nor does it prompt for a password.
1aed71e5	19	It is a simple, non-set-user-ID wrapper around
64eca640 SM	20	.BR execve (2),
	21	and can be used to drop privileges in the same way as
	22	.BR setuidgid (8)
	23	from
	24	.BR daemontools ,
	25	.BR chpst (8)
	26	from
	27	.BR runit ,
	28	or similar tools shipped by other service managers.
8715ec4d	29	.SH OPTIONS
5600c405	30	.TP
5e43af7e BS	31	.B \-\-clear\-groups
	32	Clear supplementary groups.
	33	.TP
	34	.BR \-d , " \-\-dump"
cf8e0bae BS	35	Dump current privilege state. Can be specified more than once to show extra,
cf8e0bae BS	36	mostly useless, information. Incompatible with all other options.
5600c405	37	.TP
5e43af7e	38	.B \-\-groups \fIgroup\fR...
85c15c1f	39	Set supplementary groups. The argument is a comma-separated list of GIDs or names.
5600c405	40	.TP
0c92194e PS	41	.BR \-\-inh\-caps " (" + \| \- ) \fIcap "... or " \-\-ambient-caps " (" + \| \- ) \fIcap "... or " \-\-bounding\-set " (" + \| \- ) \fIcap ...
0c92194e PS	42	Set the inheritable capabilities, ambient capabilities or the capability bounding set. See
5600c405 AL	43	.BR capabilities (7).
5600c405 AL	44	The argument is a comma-separated list of
cf8e0bae	45	.BI + cap
5600c405	46	and
cf8e0bae	47	.BI \- cap
55b3fe78 PS	48	entries, which add or remove an entry respectively. \fIcap\fR can either be a
	49	human-readable name as seen in
	50	.BR capabilities (7)
	51	without the \fIcap_\fR prefix or of the format
	52	.BI cap_N ,
	53	where \fIN\fR is the internal capability index used by Linux.
cf8e0bae	54	.B +all
5600c405	55	and
cf8e0bae	56	.B \-all
5600c405 AL	57	can be used to add or remove all caps. The set of capabilities starts out as
5600c405 AL	58	the current inheritable set for
0c92194e PS	59	.BR \-\-inh\-caps ,
	60	the current ambient set for
	61	.B \-\-ambient\-caps
5600c405	62	and the current bounding set for
cf8e0bae	63	.BR \-\-bounding\-set .
5600c405 AL	64	If you drop something from the bounding set without also dropping it from the
	65	inheritable set, you are likely to become confused. Do not do that.
	66	.TP
5e43af7e BS	67	.B \-\-keep\-groups
	68	Preserve supplementary groups. Only useful in conjunction with
	69	.BR \-\-rgid ,
	70	.BR \-\-egid ", or"
	71	.BR \-\-regid .
	72	.TP
94826d0d SS	73	.B \-\-init\-groups
	74	Initialize supplementary groups using
	75	.BR initgroups "(3)."
	76	Only useful in conjunction with
0bb7e904	77	.B \-\-ruid
94826d0d SS	78	or
	79	.BR \-\-reuid .
	80	.TP
0bb7e904	81	.B \-\-list\-caps
cf8e0bae	82	List all known capabilities. This option must be specified alone.
5600c405	83	.TP
b06c1ca6	84	.B \-\-no\-new\-privs
5e43af7e BS	85	Set the
	86	.I no_new_privs
	87	bit. With this bit set,
	88	.BR execve (2)
aedd46f6 MK	89	will not grant new privileges.
aedd46f6 MK	90	For example, the set-user-ID and set-group-ID bits as well
5e43af7e BS	91	as file capabilities will be disabled. (Executing binaries with these bits set
	92	will still work, but they will not gain privileges. Certain LSMs, especially
	93	AppArmor, may result in failures to execute certain programs.) This bit is
	94	inherited by child processes and cannot be unset. See
	95	.BR prctl (2)
	96	and
0bb7e904	97	.I Documentation/\:prctl/\:no_\:new_\:privs.txt
5e43af7e BS	98	in the Linux kernel source.
	99	.sp
	100	The no_new_privs bit is supported since Linux 3.5.
	101	.TP
	102	.BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid"
a72fa61a	103	Set the real, effective, or both GIDs. The \fIgid\fR argument can be
5e43af7e BS	104	given as textual group name.
	105	.sp
	106	For safety, you must specify one of
b06c1ca6	107	.BR \-\-clear\-groups ,
a7e6a6b4 SM	108	.BR \-\-groups ,
a7e6a6b4 SM	109	.BR \-\-keep\-groups ", or"
0bb7e904	110	.B \-\-init\-groups
5e43af7e BS	111	if you set any primary
	112	.IR gid .
	113	.TP
	114	.BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid"
a72fa61a	115	Set the real, effective, or both UIDs. The \fIuid\fR argument can be
637fa4c6	116	given as textual login name.
5e43af7e BS	117	.sp
5e43af7e BS	118	Setting a
5600c405 AL	119	.I uid
	120	or
	121	.I gid
	122	does not change capabilities, although the exec call at the end might change
	123	capabilities. This means that, if you are root, you probably want to do
	124	something like:
5e43af7e	125	.sp
35e953e0	126	.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-inh\-caps=\-all"
5600c405	127	.TP
5e43af7e	128	.BR \-\-securebits " (" + \| \- ) \fIsecurebit ...
cf8e0bae BS	129	Set or clear securebits. The argument is a comma-separated list.
cf8e0bae BS	130	The valid securebits are
5600c405	131	.IR noroot ,
cf8e0bae BS	132	.IR noroot_locked ,
	133	.IR no_setuid_fixup ,
	134	.IR no_setuid_fixup_locked ,
5600c405	135	and
cf8e0bae BS	136	.IR keep_caps_locked .
cf8e0bae BS	137	.I keep_caps
5600c405 AL	138	is cleared by
	139	.BR execve (2)
	140	and is therefore not allowed.
	141	.TP
23f54ce7 PS	142	.BR "\-\-pdeathsig keep" \| clear \| <signal>
	143	Keep, clear or set the parent death signal. Some LSMs, most notably SELinux and
	144	AppArmor, clear the signal when the process' credentials change. Using
1c4c6024	145	\fB\-\-pdeathsig keep\fR will restore the parent death signal after changing
23f54ce7 PS	146	credentials to remedy that situation.
23f54ce7 PS	147	.TP
b06c1ca6	148	.BI \-\-selinux\-label " label"
cf8e0bae	149	Request a particular SELinux transition (using a transition on exec, not
5600c405 AL	150	dyntrans). This will fail and cause
	151	.BR setpriv (1)
	152	to abort if SELinux is not in use, and the transition may be ignored or cause
	153	.BR execve (2)
	154	to fail at SELinux's whim. (In particular, this is unlikely to work in
	155	conjunction with
cf8e0bae	156	.IR no_new_privs .)
5600c405 AL	157	This is similar to
	158	.BR runcon (1).
	159	.TP
b06c1ca6	160	.BI \-\-apparmor\-profile " profile"
cf8e0bae	161	Request a particular AppArmor profile (using a transition on exec). This will
5600c405 AL	162	fail and cause
	163	.BR setpriv (1)
	164	to abort if AppArmor is not in use, and the transition may be ignored or cause
	165	.BR execve (2)
	166	to fail at AppArmor's whim.
	167	.TP
2fb684f0	168	.B \-\-reset\-env
89f95425 KZ	169	Clears all the environment variables except TERM; initializes the environment variables HOME, SHELL, USER, LOGNAME
	170	according to the user's passwd entry; sets PATH to \fI/usr/local/bin:/bin:/usr/bin\fR for a regual user and to
	171	\fI/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\fR for root.
	172	.sp
	173	The environment variable PATH may be different on systems where /bin and /sbin
	174	are merged into /usr. The environment variable SHELL defaults to \fI/bin/sh\fR if none is given in the user's
	175	passwd entry.
	176	.TP
5e43af7e	177	.BR \-V , " \-\-version"
5600c405 AL	178	Display version information and exit.
5600c405 AL	179	.TP
5e43af7e	180	.BR \-h , " \-\-help"
b4362b6f	181	Display help text and exit.
5600c405 AL	182	.SH NOTES
	183	If applying any specified option fails,
	184	.I program
	185	will not be run and
	186	.B setpriv
a87f49f6	187	will return with exit status 127.
5600c405 AL	188	.PP
5600c405 AL	189	Be careful with this tool \-\- it may have unexpected security consequences.
cf8e0bae BS	190	For example, setting no_new_privs and then execing a program that is
cf8e0bae BS	191	SELinux\-confined (as this tool would do) may prevent the SELinux
5600c405	192	restrictions from taking effect.
1aed71e5 SM	193	.SH EXAMPLE
	194	If you're looking for behaviour similar to
	195	.BR su (1)/ runuser "(1), or " sudo (8)
	196	(without the
1c4c6024	197	.B \-g
1aed71e5 SM	198	option), try something like:
	199	.sp
	200	.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-init\-groups"
	201	.PP
	202	If you want to mimic daemontools'
	203	.BR setuid (8),
	204	try:
	205	.sp
	206	.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-clear\-groups"
5600c405	207	.SH SEE ALSO
c424fd83	208	.BR runuser (1),
f053ff1e	209	.BR su (1),
66083665	210	.BR prctl (2),
4a2ec98b	211	.BR capabilities (7)
a8d0d330	212	.SH AUTHORS
5600c405 AL	213	.MT luto@amacapital.net
	214	Andy Lutomirski
	215	.ME
	216	.SH AVAILABILITY
	217	The
	218	.B setpriv
	219	command is part of the util-linux package and is available from
d673b74e	220	.UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
5600c405 AL	221	Linux Kernel Archive
5600c405 AL	222	.UE .