[thirdparty/util-linux.git] / sys-utils / setpriv.1

.TH SETPRIV 1 "July 2014" "util-linux" "User Commands"
.SH NAME
setpriv \- run a program with different Linux privilege settings
.SH SYNOPSIS
.B setpriv
[options]
.I program
.RI [ arguments ]
.SH DESCRIPTION
Sets or queries various Linux privilege settings that are inherited across
.BR execve (2).
.PP
The difference between the commands setpriv and su (or runuser) is that setpriv does
not use open PAM session and does not ask for password.
It's simple non-set-user-ID wrapper around
.B execve
system call.
.SH OPTION
.TP
.B \-\-clear\-groups
Clear supplementary groups.
.TP
.BR \-d , " \-\-dump"
Dump current privilege state.  Can be specified more than once to show extra,
mostly useless, information.  Incompatible with all other options.
.TP
.B \-\-groups \fIgroup\fR...
Set supplementary groups.  The argument is a comma-separated list.
.TP
.BR \-\-inh\-caps " (" + | \- ) \fIcap "...  or  " \-\-ambient-caps " (" + | \- ) \fIcap "...  or  " \-\-bounding\-set " (" + | \- ) \fIcap ...
Set the inheritable capabilities, ambient capabilities or the capability bounding set.  See
.BR capabilities (7).
The argument is a comma-separated list of
.BI + cap
and
.BI \- cap
entries, which add or remove an entry respectively.
.B +all
and
.B \-all
can be used to add or remove all caps.  The set of capabilities starts out as
the current inheritable set for
.BR \-\-inh\-caps ,
the current ambient set for
.B \-\-ambient\-caps
and the current bounding set for
.BR \-\-bounding\-set .
If you drop something from the bounding set without also dropping it from the
inheritable set, you are likely to become confused.  Do not do that.
.TP
.B \-\-keep\-groups
Preserve supplementary groups.  Only useful in conjunction with
.BR \-\-rgid ,
.BR \-\-egid ", or"
.BR \-\-regid .
.TP
.B \-\-init\-groups
Initialize supplementary groups using
.BR initgroups "(3)."
Only useful in conjunction with
.BR \-\-ruid
or
.BR \-\-reuid .
.TP
.BR \-\-list\-caps
List all known capabilities.  This option must be specified alone.
.TP
.B \-\-no\-new\-privs
Set the
.I no_new_privs
bit.  With this bit set,
.BR execve (2)
will not grant new privileges.
For example, the set-user-ID and set-group-ID bits as well
as file capabilities will be disabled.  (Executing binaries with these bits set
will still work, but they will not gain privileges.  Certain LSMs, especially
AppArmor, may result in failures to execute certain programs.)  This bit is
inherited by child processes and cannot be unset.  See
.BR prctl (2)
and
.IR Documentation/\:prctl/\:no_\:new_\:privs.txt
in the Linux kernel source.
.sp
The no_new_privs bit is supported since Linux 3.5.
.TP
.BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid"
Set the real, effective, or both GIDs.  The \fIgid\fR argument can be
given as textual group name.
.sp
For safety, you must specify one of
.BR \-\-clear\-groups ,
.BR \-\-groups ", or"
.BR \-\-keep\-groups
if you set any primary
.IR gid .
.TP
.BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid"
Set the real, effective, or both UIDs.  The \fIuid\fR argument can be
given as textual login name.
.sp
Setting a
.I uid
or
.I gid
does not change capabilities, although the exec call at the end might change
capabilities.  This means that, if you are root, you probably want to do
something like:
.sp
.B "        setpriv \-\-reuid=1000 \-\-regid=1000 \-\-caps=\-all"
.TP
.BR \-\-securebits " (" + | \- ) \fIsecurebit ...
Set or clear securebits.  The argument is a comma-separated list.
The valid securebits are
.IR noroot ,
.IR noroot_locked ,
.IR no_setuid_fixup ,
.IR no_setuid_fixup_locked ,
and
.IR keep_caps_locked .
.I keep_caps
is cleared by
.BR execve (2)
and is therefore not allowed.
.TP
.BI \-\-selinux\-label " label"
Request a particular SELinux transition (using a transition on exec, not
dyntrans).  This will fail and cause
.BR setpriv (1)
to abort if SELinux is not in use, and the transition may be ignored or cause
.BR execve (2)
to fail at SELinux's whim.  (In particular, this is unlikely to work in
conjunction with
.IR no_new_privs .)
This is similar to
.BR runcon (1).
.TP
.BI \-\-apparmor\-profile " profile"
Request a particular AppArmor profile (using a transition on exec).  This will
fail and cause
.BR setpriv (1)
to abort if AppArmor is not in use, and the transition may be ignored or cause
.BR execve (2)
to fail at AppArmor's whim.
.TP
.BR \-V , " \-\-version"
Display version information and exit.
.TP
.BR \-h , " \-\-help"
Display help text and exit.
.SH NOTES
If applying any specified option fails,
.I program
will not be run and
.B setpriv
will return with exit code 127.
.PP
Be careful with this tool \-\- it may have unexpected security consequences.
For example, setting no_new_privs and then execing a program that is
SELinux\-confined (as this tool would do) may prevent the SELinux
restrictions from taking effect.
.SH SEE ALSO
.BR runuser (1),
.BR su (1),
.BR prctl (2),
.BR capabilities (7)
.SH AUTHOR
.MT luto@amacapital.net
Andy Lutomirski
.ME
.SH AVAILABILITY
The
.B setpriv
command is part of the util-linux package and is available from
.UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
Linux Kernel Archive
.UE .
Commit	Line	Data
cf8e0bae	1	.TH SETPRIV 1 "July 2014" "util-linux" "User Commands"
5600c405 AL	2	.SH NAME
	3	setpriv \- run a program with different Linux privilege settings
	4	.SH SYNOPSIS
	5	.B setpriv
cf8e0bae BS	6	[options]
cf8e0bae BS	7	.I program
5600c405 AL	8	.RI [ arguments ]
	9	.SH DESCRIPTION
	10	Sets or queries various Linux privilege settings that are inherited across
	11	.BR execve (2).
c424fd83 KZ	12	.PP
c424fd83 KZ	13	The difference between the commands setpriv and su (or runuser) is that setpriv does
aedd46f6 MK	14	not use open PAM session and does not ask for password.
aedd46f6 MK	15	It's simple non-set-user-ID wrapper around
c424fd83	16	.B execve
3be5d977	17	system call.
5600c405 AL	18	.SH OPTION
5600c405 AL	19	.TP
5e43af7e BS	20	.B \-\-clear\-groups
	21	Clear supplementary groups.
	22	.TP
	23	.BR \-d , " \-\-dump"
cf8e0bae BS	24	Dump current privilege state. Can be specified more than once to show extra,
cf8e0bae BS	25	mostly useless, information. Incompatible with all other options.
5600c405	26	.TP
5e43af7e BS	27	.B \-\-groups \fIgroup\fR...
5e43af7e BS	28	Set supplementary groups. The argument is a comma-separated list.
5600c405	29	.TP
0c92194e PS	30	.BR \-\-inh\-caps " (" + \| \- ) \fIcap "... or " \-\-ambient-caps " (" + \| \- ) \fIcap "... or " \-\-bounding\-set " (" + \| \- ) \fIcap ...
0c92194e PS	31	Set the inheritable capabilities, ambient capabilities or the capability bounding set. See
5600c405 AL	32	.BR capabilities (7).
5600c405 AL	33	The argument is a comma-separated list of
cf8e0bae	34	.BI + cap
5600c405	35	and
cf8e0bae	36	.BI \- cap
5600c405	37	entries, which add or remove an entry respectively.
cf8e0bae	38	.B +all
5600c405	39	and
cf8e0bae	40	.B \-all
5600c405 AL	41	can be used to add or remove all caps. The set of capabilities starts out as
5600c405 AL	42	the current inheritable set for
0c92194e PS	43	.BR \-\-inh\-caps ,
	44	the current ambient set for
	45	.B \-\-ambient\-caps
5600c405	46	and the current bounding set for
cf8e0bae	47	.BR \-\-bounding\-set .
5600c405 AL	48	If you drop something from the bounding set without also dropping it from the
	49	inheritable set, you are likely to become confused. Do not do that.
	50	.TP
5e43af7e BS	51	.B \-\-keep\-groups
	52	Preserve supplementary groups. Only useful in conjunction with
	53	.BR \-\-rgid ,
	54	.BR \-\-egid ", or"
	55	.BR \-\-regid .
	56	.TP
94826d0d SS	57	.B \-\-init\-groups
	58	Initialize supplementary groups using
	59	.BR initgroups "(3)."
	60	Only useful in conjunction with
	61	.BR \-\-ruid
	62	or
	63	.BR \-\-reuid .
	64	.TP
5600c405	65	.BR \-\-list\-caps
cf8e0bae	66	List all known capabilities. This option must be specified alone.
5600c405	67	.TP
b06c1ca6	68	.B \-\-no\-new\-privs
5e43af7e BS	69	Set the
	70	.I no_new_privs
	71	bit. With this bit set,
	72	.BR execve (2)
aedd46f6 MK	73	will not grant new privileges.
aedd46f6 MK	74	For example, the set-user-ID and set-group-ID bits as well
5e43af7e BS	75	as file capabilities will be disabled. (Executing binaries with these bits set
	76	will still work, but they will not gain privileges. Certain LSMs, especially
	77	AppArmor, may result in failures to execute certain programs.) This bit is
	78	inherited by child processes and cannot be unset. See
	79	.BR prctl (2)
	80	and
	81	.IR Documentation/\:prctl/\:no_\:new_\:privs.txt
	82	in the Linux kernel source.
	83	.sp
	84	The no_new_privs bit is supported since Linux 3.5.
	85	.TP
	86	.BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid"
a72fa61a	87	Set the real, effective, or both GIDs. The \fIgid\fR argument can be
5e43af7e BS	88	given as textual group name.
	89	.sp
	90	For safety, you must specify one of
b06c1ca6	91	.BR \-\-clear\-groups ,
5e43af7e	92	.BR \-\-groups ", or"
b06c1ca6	93	.BR \-\-keep\-groups
5e43af7e BS	94	if you set any primary
	95	.IR gid .
	96	.TP
	97	.BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid"
a72fa61a	98	Set the real, effective, or both UIDs. The \fIuid\fR argument can be
637fa4c6	99	given as textual login name.
5e43af7e BS	100	.sp
5e43af7e BS	101	Setting a
5600c405 AL	102	.I uid
	103	or
	104	.I gid
	105	does not change capabilities, although the exec call at the end might change
	106	capabilities. This means that, if you are root, you probably want to do
	107	something like:
5e43af7e BS	108	.sp
5e43af7e BS	109	.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-caps=\-all"
5600c405	110	.TP
5e43af7e	111	.BR \-\-securebits " (" + \| \- ) \fIsecurebit ...
cf8e0bae BS	112	Set or clear securebits. The argument is a comma-separated list.
cf8e0bae BS	113	The valid securebits are
5600c405	114	.IR noroot ,
cf8e0bae BS	115	.IR noroot_locked ,
	116	.IR no_setuid_fixup ,
	117	.IR no_setuid_fixup_locked ,
5600c405	118	and
cf8e0bae BS	119	.IR keep_caps_locked .
cf8e0bae BS	120	.I keep_caps
5600c405 AL	121	is cleared by
	122	.BR execve (2)
	123	and is therefore not allowed.
	124	.TP
b06c1ca6	125	.BI \-\-selinux\-label " label"
cf8e0bae	126	Request a particular SELinux transition (using a transition on exec, not
5600c405 AL	127	dyntrans). This will fail and cause
	128	.BR setpriv (1)
	129	to abort if SELinux is not in use, and the transition may be ignored or cause
	130	.BR execve (2)
	131	to fail at SELinux's whim. (In particular, this is unlikely to work in
	132	conjunction with
cf8e0bae	133	.IR no_new_privs .)
5600c405 AL	134	This is similar to
	135	.BR runcon (1).
	136	.TP
b06c1ca6	137	.BI \-\-apparmor\-profile " profile"
cf8e0bae	138	Request a particular AppArmor profile (using a transition on exec). This will
5600c405 AL	139	fail and cause
	140	.BR setpriv (1)
	141	to abort if AppArmor is not in use, and the transition may be ignored or cause
	142	.BR execve (2)
	143	to fail at AppArmor's whim.
	144	.TP
5e43af7e	145	.BR \-V , " \-\-version"
5600c405 AL	146	Display version information and exit.
5600c405 AL	147	.TP
5e43af7e	148	.BR \-h , " \-\-help"
b4362b6f	149	Display help text and exit.
5600c405 AL	150	.SH NOTES
	151	If applying any specified option fails,
	152	.I program
	153	will not be run and
	154	.B setpriv
	155	will return with exit code 127.
	156	.PP
	157	Be careful with this tool \-\- it may have unexpected security consequences.
cf8e0bae BS	158	For example, setting no_new_privs and then execing a program that is
cf8e0bae BS	159	SELinux\-confined (as this tool would do) may prevent the SELinux
5600c405 AL	160	restrictions from taking effect.
5600c405 AL	161	.SH SEE ALSO
c424fd83	162	.BR runuser (1),
f053ff1e	163	.BR su (1),
66083665	164	.BR prctl (2),
4a2ec98b	165	.BR capabilities (7)
5600c405 AL	166	.SH AUTHOR
	167	.MT luto@amacapital.net
	168	Andy Lutomirski
	169	.ME
	170	.SH AVAILABILITY
	171	The
	172	.B setpriv
	173	command is part of the util-linux package and is available from
d673b74e	174	.UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
5600c405 AL	175	Linux Kernel Archive
5600c405 AL	176	.UE .