]>
Commit | Line | Data |
---|---|---|
cf8e0bae | 1 | .TH SETPRIV 1 "July 2014" "util-linux" "User Commands" |
5600c405 AL |
2 | .SH NAME |
3 | setpriv \- run a program with different Linux privilege settings | |
4 | .SH SYNOPSIS | |
5 | .B setpriv | |
cf8e0bae BS |
6 | [options] |
7 | .I program | |
5600c405 AL |
8 | .RI [ arguments ] |
9 | .SH DESCRIPTION | |
10 | Sets or queries various Linux privilege settings that are inherited across | |
11 | .BR execve (2). | |
c424fd83 KZ |
12 | .PP |
13 | The difference between the commands setpriv and su (or runuser) is that setpriv does | |
aedd46f6 MK |
14 | not use open PAM session and does not ask for password. |
15 | It's simple non-set-user-ID wrapper around | |
c424fd83 | 16 | .B execve |
3be5d977 | 17 | system call. |
5600c405 AL |
18 | .SH OPTION |
19 | .TP | |
5e43af7e BS |
20 | .B \-\-clear\-groups |
21 | Clear supplementary groups. | |
22 | .TP | |
23 | .BR \-d , " \-\-dump" | |
cf8e0bae BS |
24 | Dump current privilege state. Can be specified more than once to show extra, |
25 | mostly useless, information. Incompatible with all other options. | |
5600c405 | 26 | .TP |
5e43af7e BS |
27 | .B \-\-groups \fIgroup\fR... |
28 | Set supplementary groups. The argument is a comma-separated list. | |
5600c405 | 29 | .TP |
0c92194e PS |
30 | .BR \-\-inh\-caps " (" + | \- ) \fIcap "... or " \-\-ambient-caps " (" + | \- ) \fIcap "... or " \-\-bounding\-set " (" + | \- ) \fIcap ... |
31 | Set the inheritable capabilities, ambient capabilities or the capability bounding set. See | |
5600c405 AL |
32 | .BR capabilities (7). |
33 | The argument is a comma-separated list of | |
cf8e0bae | 34 | .BI + cap |
5600c405 | 35 | and |
cf8e0bae | 36 | .BI \- cap |
5600c405 | 37 | entries, which add or remove an entry respectively. |
cf8e0bae | 38 | .B +all |
5600c405 | 39 | and |
cf8e0bae | 40 | .B \-all |
5600c405 AL |
41 | can be used to add or remove all caps. The set of capabilities starts out as |
42 | the current inheritable set for | |
0c92194e PS |
43 | .BR \-\-inh\-caps , |
44 | the current ambient set for | |
45 | .B \-\-ambient\-caps | |
5600c405 | 46 | and the current bounding set for |
cf8e0bae | 47 | .BR \-\-bounding\-set . |
5600c405 AL |
48 | If you drop something from the bounding set without also dropping it from the |
49 | inheritable set, you are likely to become confused. Do not do that. | |
50 | .TP | |
5e43af7e BS |
51 | .B \-\-keep\-groups |
52 | Preserve supplementary groups. Only useful in conjunction with | |
53 | .BR \-\-rgid , | |
54 | .BR \-\-egid ", or" | |
55 | .BR \-\-regid . | |
56 | .TP | |
94826d0d SS |
57 | .B \-\-init\-groups |
58 | Initialize supplementary groups using | |
59 | .BR initgroups "(3)." | |
60 | Only useful in conjunction with | |
61 | .BR \-\-ruid | |
62 | or | |
63 | .BR \-\-reuid . | |
64 | .TP | |
5600c405 | 65 | .BR \-\-list\-caps |
cf8e0bae | 66 | List all known capabilities. This option must be specified alone. |
5600c405 | 67 | .TP |
b06c1ca6 | 68 | .B \-\-no\-new\-privs |
5e43af7e BS |
69 | Set the |
70 | .I no_new_privs | |
71 | bit. With this bit set, | |
72 | .BR execve (2) | |
aedd46f6 MK |
73 | will not grant new privileges. |
74 | For example, the set-user-ID and set-group-ID bits as well | |
5e43af7e BS |
75 | as file capabilities will be disabled. (Executing binaries with these bits set |
76 | will still work, but they will not gain privileges. Certain LSMs, especially | |
77 | AppArmor, may result in failures to execute certain programs.) This bit is | |
78 | inherited by child processes and cannot be unset. See | |
79 | .BR prctl (2) | |
80 | and | |
81 | .IR Documentation/\:prctl/\:no_\:new_\:privs.txt | |
82 | in the Linux kernel source. | |
83 | .sp | |
84 | The no_new_privs bit is supported since Linux 3.5. | |
85 | .TP | |
86 | .BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid" | |
a72fa61a | 87 | Set the real, effective, or both GIDs. The \fIgid\fR argument can be |
5e43af7e BS |
88 | given as textual group name. |
89 | .sp | |
90 | For safety, you must specify one of | |
b06c1ca6 | 91 | .BR \-\-clear\-groups , |
5e43af7e | 92 | .BR \-\-groups ", or" |
b06c1ca6 | 93 | .BR \-\-keep\-groups |
5e43af7e BS |
94 | if you set any primary |
95 | .IR gid . | |
96 | .TP | |
97 | .BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid" | |
a72fa61a | 98 | Set the real, effective, or both UIDs. The \fIuid\fR argument can be |
637fa4c6 | 99 | given as textual login name. |
5e43af7e BS |
100 | .sp |
101 | Setting a | |
5600c405 AL |
102 | .I uid |
103 | or | |
104 | .I gid | |
105 | does not change capabilities, although the exec call at the end might change | |
106 | capabilities. This means that, if you are root, you probably want to do | |
107 | something like: | |
5e43af7e BS |
108 | .sp |
109 | .B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-caps=\-all" | |
5600c405 | 110 | .TP |
5e43af7e | 111 | .BR \-\-securebits " (" + | \- ) \fIsecurebit ... |
cf8e0bae BS |
112 | Set or clear securebits. The argument is a comma-separated list. |
113 | The valid securebits are | |
5600c405 | 114 | .IR noroot , |
cf8e0bae BS |
115 | .IR noroot_locked , |
116 | .IR no_setuid_fixup , | |
117 | .IR no_setuid_fixup_locked , | |
5600c405 | 118 | and |
cf8e0bae BS |
119 | .IR keep_caps_locked . |
120 | .I keep_caps | |
5600c405 AL |
121 | is cleared by |
122 | .BR execve (2) | |
123 | and is therefore not allowed. | |
124 | .TP | |
b06c1ca6 | 125 | .BI \-\-selinux\-label " label" |
cf8e0bae | 126 | Request a particular SELinux transition (using a transition on exec, not |
5600c405 AL |
127 | dyntrans). This will fail and cause |
128 | .BR setpriv (1) | |
129 | to abort if SELinux is not in use, and the transition may be ignored or cause | |
130 | .BR execve (2) | |
131 | to fail at SELinux's whim. (In particular, this is unlikely to work in | |
132 | conjunction with | |
cf8e0bae | 133 | .IR no_new_privs .) |
5600c405 AL |
134 | This is similar to |
135 | .BR runcon (1). | |
136 | .TP | |
b06c1ca6 | 137 | .BI \-\-apparmor\-profile " profile" |
cf8e0bae | 138 | Request a particular AppArmor profile (using a transition on exec). This will |
5600c405 AL |
139 | fail and cause |
140 | .BR setpriv (1) | |
141 | to abort if AppArmor is not in use, and the transition may be ignored or cause | |
142 | .BR execve (2) | |
143 | to fail at AppArmor's whim. | |
144 | .TP | |
5e43af7e | 145 | .BR \-V , " \-\-version" |
5600c405 AL |
146 | Display version information and exit. |
147 | .TP | |
5e43af7e | 148 | .BR \-h , " \-\-help" |
b4362b6f | 149 | Display help text and exit. |
5600c405 AL |
150 | .SH NOTES |
151 | If applying any specified option fails, | |
152 | .I program | |
153 | will not be run and | |
154 | .B setpriv | |
155 | will return with exit code 127. | |
156 | .PP | |
157 | Be careful with this tool \-\- it may have unexpected security consequences. | |
cf8e0bae BS |
158 | For example, setting no_new_privs and then execing a program that is |
159 | SELinux\-confined (as this tool would do) may prevent the SELinux | |
5600c405 AL |
160 | restrictions from taking effect. |
161 | .SH SEE ALSO | |
c424fd83 | 162 | .BR runuser (1), |
f053ff1e | 163 | .BR su (1), |
66083665 | 164 | .BR prctl (2), |
4a2ec98b | 165 | .BR capabilities (7) |
5600c405 AL |
166 | .SH AUTHOR |
167 | .MT luto@amacapital.net | |
168 | Andy Lutomirski | |
169 | .ME | |
170 | .SH AVAILABILITY | |
171 | The | |
172 | .B setpriv | |
173 | command is part of the util-linux package and is available from | |
d673b74e | 174 | .UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/ |
5600c405 AL |
175 | Linux Kernel Archive |
176 | .UE . |