sys-utils/setpriv.1

   1 .TH SETPRIV 1 "January 2013" "util-linux" "User Commands"
   2 .SH NAME
   3 setpriv \- run a program with different Linux privilege settings
   4 .SH SYNOPSIS
   5 .B setpriv
   6 .RI [ options ]
   7 program
   8 .RI [ arguments ]
   9 .SH DESCRIPTION
  10 Sets or queries various Linux privilege settings that are inherited across
  11 .BR execve (2).
  12 .SH OPTION
  13 .TP
  14 \fB\-d\fR, \fB\-\-dump\fR
  15 Dumps current privilege state.  Specify more than once to show extra, mostly
  16 useless, information.  Incompatible with all other options.
  17 .TP
  18 \fB\-\-no\-new\-privs\fR
  19 Sets the
  20 .I no_\:new_\:privs
  21 bit.  With this bit set,
  22 .BR execve (2)
  23 will not grant new privileges.  For example, the setuid and setgid bits as well
  24 as file capabilities will be disabled.  (Executing binaries with these bits set
  25 will still work, but they will not gain privilege.  Certain LSMs, especially
  26 AppArmor, may result in failures to execute certain programs.) This bit is
  27 inherited by child processes and cannot be unset.  See
  28 .BR prctl (2)
  29 and
  30 .IR Documentation/\:prctl/\:no_\:new_\:privs.txt
  31 in the Linux kernel source.
  32 .IP
  33 The no_\:new_\:privs bit is supported since Linux 3.5.
  34 .TP
  35 \fB\-\-inh\-caps\fR \fI(+|\-)cap\fR,\fI...\fR or \fB\-\-bounding\-set\fR \fI(+|\-)cap\fR,\fI...\fR
  36 Sets inheritable capabilities or capability bounding set.  See
  37 .BR capabilities (7).
  38 The argument is a comma-separated list of
  39 .I +cap
  40 and
  41 .I \-cap
  42 entries, which add or remove an entry respectively.
  43 .I +all
  44 and
  45 .I \-all
  46 can be used to add or remove all caps.  The set of capabilities starts out as
  47 the current inheritable set for
  48 .B \-\-\:inh\-\:caps
  49 and the current bounding set for
  50 .BR \-\-\:bounding\-\:set .
  51 If you drop something from the bounding set without also dropping it from the
  52 inheritable set, you are likely to become confused.  Do not do that.
  53 .TP
  54 .BR \-\-list\-caps
  55 Lists all known capabilities.  Must be specified alone.
  56 .TP
  57 \fB\-\-ruid\fR \fIuid\fR, \fB\-\-euid\fR \fIuid\fR, \fB\-\-reuid\fR \fIuid\fR
  58 Sets the real, effective, or both \fIuid\fRs.  The uid argument can be
  59 given as textual login name.
  60 .IP
  61 Setting
  62 .I uid
  63 or
  64 .I gid
  65 does not change capabilities, although the exec call at the end might change
  66 capabilities.  This means that, if you are root, you probably want to do
  67 something like:
  68 .IP
  69 \-\-reuid=1000 \-\-\:regid=1000 \-\-\:caps=\-\:all
  70 .TP
  71 \fB\-\-rgid\fR \fIgid\fR, \fB\-\-egid\fR \fIgid\fR, \fB\-\-regid\fR \fIgid\fR
  72 Sets the real, effective, or both \fIgid\fRs.  The gid argument can be
  73 given as textual group name.
  74 .IP
  75 For safety, you must specify one of \-\-\:keep\-\:groups,
  76 \-\-\:clear\-\:groups, or \-\-\:groups if you set any primary
  77 .IR gid .
  78 .TP
  79 .BR \-\-clear\-groups
  80 Clears supplementary groups.
  81 .TP
  82 \fB\-\-keep\-groups\fR
  83 Preserves supplementary groups.  Only useful in conjunction with \-\-rgid,
  84 \-\-egid, or \-\-regid.
  85 .TP
  86 \fB\-\-groups\fR \fIgroup\fR,\fI...\fR
  87 Sets supplementary groups.
  88 .TP
  89 \fB\-\-securebits\fR \fI(+|\-)securebit\fR,\fI...\fR
  90 Sets or clears securebits.  The valid securebits are
  91 .IR noroot ,
  92 .IR noroot_\:locked ,
  93 .IR no_\:setuid_\:fixup ,
  94 .IR no_\:setuid_\:fixup_\:locked ,
  95 and
  96 .IR keep_\:caps_\:locked .
  97 .I keep_\:caps
  98 is cleared by
  99 .BR execve (2)
 100 and is therefore not allowed.
 101 .TP
 102 \fB\-\-selinux\-label\fR \fIlabel\fR
 103 Requests a particular SELinux transition (using a transition on exec, not
 104 dyntrans).  This will fail and cause
 105 .BR setpriv (1)
 106 to abort if SELinux is not in use, and the transition may be ignored or cause
 107 .BR execve (2)
 108 to fail at SELinux's whim.  (In particular, this is unlikely to work in
 109 conjunction with
 110 .IR no_\:new_\:privs .)
 111 This is similar to
 112 .BR runcon (1).
 113 .TP
 114 \fB\-\-apparmor\-profile\fR \fIprofile\fR
 115 Requests a particular AppArmor profile (using a transition on exec).  This will
 116 fail and cause
 117 .BR setpriv (1)
 118 to abort if AppArmor is not in use, and the transition may be ignored or cause
 119 .BR execve (2)
 120 to fail at AppArmor's whim.
 121 .TP
 122 \fB\-V\fR, \fB\-\-version\fR
 123 Display version information and exit.
 124 .TP
 125 \fB\-h\fR, \fB\-\-help\fR
 126 Display help and exit.
 127 .SH NOTES
 128 If applying any specified option fails,
 129 .I program
 130 will not be run and
 131 .B setpriv
 132 will return with exit code 127.
 133 .PP
 134 Be careful with this tool \-\- it may have unexpected security consequences.
 135 For example, setting no_\:new_\:privs and then execing a program that is
 136 SELinux\-\:confined (as this tool would do) may prevent the SELinux
 137 restrictions from taking effect.
 138 .SH SEE ALSO
 139 .BR prctl (2)
 140 .BR capability (7)
 141 .SH AUTHOR
 142 .MT luto@amacapital.net
 143 Andy Lutomirski
 144 .ME
 145 .SH AVAILABILITY
 146 The
 147 .B setpriv
 148 command is part of the util-linux package and is available from
 149 .UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
 150 Linux Kernel Archive
 151 .UE .