sys-utils/setpriv.1 - pub/scm/linux/kernel/git/luto/util-linux-playground - Git at Google

 .TH SETPRIV 1 "July 2014" "util-linux" "User Commands"
 .SH NAME
 setpriv \- run a program with different Linux privilege settings
 .SH SYNOPSIS
 .B setpriv
 [options]
 .I program
 .RI [ arguments ]
 .SH DESCRIPTION
 Sets or queries various Linux privilege settings that are inherited across
 .BR execve (2).
 .SH OPTION
 .TP
 .B \-\-clear\-groups
 Clear supplementary groups.
 .TP
 .BR \-d , " \-\-dump"
 Dump current privilege state.  Can be specified more than once to show extra,
 mostly useless, information.  Incompatible with all other options.
 .TP
 .B \-\-groups \fIgroup\fR...
 Set supplementary groups.  The argument is a comma-separated list.
 .TP
 .BR \-\-inh\-caps " (" + | \- ) \fIcap "...  or  " \-\-bounding\-set " (" + | \- ) \fIcap ...
 Set the inheritable capabilities or the capability bounding set.  See
 .BR capabilities (7).
 The argument is a comma-separated list of
 .BI + cap
 and
 .BI \- cap
 entries, which add or remove an entry respectively.
 .B +all
 and
 .B \-all
 can be used to add or remove all caps.  The set of capabilities starts out as
 the current inheritable set for
 .B \-\-inh\-caps
 and the current bounding set for
 .BR \-\-bounding\-set .
 If you drop something from the bounding set without also dropping it from the
 inheritable set, you are likely to become confused.  Do not do that.
 .TP
 .B \-\-keep\-groups
 Preserve supplementary groups.  Only useful in conjunction with
 .BR \-\-rgid ,
 .BR \-\-egid ", or"
 .BR \-\-regid .
 .TP
 .BR \-\-list\-caps
 List all known capabilities.  This option must be specified alone.
 .TP
 .B \-\-no\-new\-privs
 Set the
 .I no_new_privs
 bit.  With this bit set,
 .BR execve (2)
 will not grant new privileges.  For example, the setuid and setgid bits as well
 as file capabilities will be disabled.  (Executing binaries with these bits set
 will still work, but they will not gain privileges.  Certain LSMs, especially
 AppArmor, may result in failures to execute certain programs.)  This bit is
 inherited by child processes and cannot be unset.  See
 .BR prctl (2)
 and
 .IR Documentation/\:prctl/\:no_\:new_\:privs.txt
 in the Linux kernel source.
 .sp
 The no_new_privs bit is supported since Linux 3.5.
 .TP
 .BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid"
 Set the real, effective, or both gids.  The \fIgid\fR argument can be
 given as textual group name.
 .sp
 For safety, you must specify one of
 .BR \-\-clear\-groups ,
 .BR \-\-groups ", or"
 .BR \-\-keep\-groups
 if you set any primary
 .IR gid .
 .TP
 .BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid"
 Set the real, effective, or both uids.  The \fIuid\fR argument can be
 given as textual login name.
 .sp
 Setting a
 .I uid
 or
 .I gid
 does not change capabilities, although the exec call at the end might change
 capabilities.  This means that, if you are root, you probably want to do
 something like:
 .sp
 .B "        setpriv \-\-reuid=1000 \-\-regid=1000 \-\-caps=\-all"
 .TP
 .BR \-\-securebits " (" + | \- ) \fIsecurebit ...
 Set or clear securebits.  The argument is a comma-separated list.
 The valid securebits are
 .IR noroot ,
 .IR noroot_locked ,
 .IR no_setuid_fixup ,
 .IR no_setuid_fixup_locked ,
 and
 .IR keep_caps_locked .
 .I keep_caps
 is cleared by
 .BR execve (2)
 and is therefore not allowed.
 .TP
 .BI \-\-selinux\-label " label"
 Request a particular SELinux transition (using a transition on exec, not
 dyntrans).  This will fail and cause
 .BR setpriv (1)
 to abort if SELinux is not in use, and the transition may be ignored or cause
 .BR execve (2)
 to fail at SELinux's whim.  (In particular, this is unlikely to work in
 conjunction with
 .IR no_new_privs .)
 This is similar to
 .BR runcon (1).
 .TP
 .BI \-\-apparmor\-profile " profile"
 Request a particular AppArmor profile (using a transition on exec).  This will
 fail and cause
 .BR setpriv (1)
 to abort if AppArmor is not in use, and the transition may be ignored or cause
 .BR execve (2)
 to fail at AppArmor's whim.
 .TP
 .BR \-V , " \-\-version"
 Display version information and exit.
 .TP
 .BR \-h , " \-\-help"
 Display help text and exit.
 .SH NOTES
 If applying any specified option fails,
 .I program
 will not be run and
 .B setpriv
 will return with exit code 127.
 .PP
 Be careful with this tool \-\- it may have unexpected security consequences.
 For example, setting no_new_privs and then execing a program that is
 SELinux\-confined (as this tool would do) may prevent the SELinux
 restrictions from taking effect.
 .SH SEE ALSO
 .BR prctl (2),
 .BR capability (7)
 .SH AUTHOR
 .MT luto@amacapital.net
 Andy Lutomirski
 .ME
 .SH AVAILABILITY
 The
 .B setpriv
 command is part of the util-linux package and is available from
 .UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
 Linux Kernel Archive
 .UE .
	.TH SETPRIV 1 "July 2014" "util-linux" "User Commands"
	.SH NAME
	setpriv \- run a program with different Linux privilege settings
	.SH SYNOPSIS
	.B setpriv
	[options]
	.I program
	.RI [ arguments ]
	.SH DESCRIPTION
	Sets or queries various Linux privilege settings that are inherited across
	.BR execve (2).
	.SH OPTION
	.TP
	.B \-\-clear\-groups
	Clear supplementary groups.
	.TP
	.BR \-d , " \-\-dump"
	Dump current privilege state. Can be specified more than once to show extra,
	mostly useless, information. Incompatible with all other options.
	.TP
	.B \-\-groups \fIgroup\fR...
	Set supplementary groups. The argument is a comma-separated list.
	.TP
	.BR \-\-inh\-caps " (" + \| \- ) \fIcap "... or " \-\-bounding\-set " (" + \| \- ) \fIcap ...
	Set the inheritable capabilities or the capability bounding set. See
	.BR capabilities (7).
	The argument is a comma-separated list of
	.BI + cap
	and
	.BI \- cap
	entries, which add or remove an entry respectively.
	.B +all
	and
	.B \-all
	can be used to add or remove all caps. The set of capabilities starts out as
	the current inheritable set for
	.B \-\-inh\-caps
	and the current bounding set for
	.BR \-\-bounding\-set .
	If you drop something from the bounding set without also dropping it from the
	inheritable set, you are likely to become confused. Do not do that.
	.TP
	.B \-\-keep\-groups
	Preserve supplementary groups. Only useful in conjunction with
	.BR \-\-rgid ,
	.BR \-\-egid ", or"
	.BR \-\-regid .
	.TP
	.BR \-\-list\-caps
	List all known capabilities. This option must be specified alone.
	.TP
	.B \-\-no\-new\-privs
	Set the
	.I no_new_privs
	bit. With this bit set,
	.BR execve (2)
	will not grant new privileges. For example, the setuid and setgid bits as well
	as file capabilities will be disabled. (Executing binaries with these bits set
	will still work, but they will not gain privileges. Certain LSMs, especially
	AppArmor, may result in failures to execute certain programs.) This bit is
	inherited by child processes and cannot be unset. See
	.BR prctl (2)
	and
	.IR Documentation/\:prctl/\:no_\:new_\:privs.txt
	in the Linux kernel source.
	.sp
	The no_new_privs bit is supported since Linux 3.5.
	.TP
	.BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid"
	Set the real, effective, or both gids. The \fIgid\fR argument can be
	given as textual group name.
	.sp
	For safety, you must specify one of
	.BR \-\-clear\-groups ,
	.BR \-\-groups ", or"
	.BR \-\-keep\-groups
	if you set any primary
	.IR gid .
	.TP
	.BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid"
	Set the real, effective, or both uids. The \fIuid\fR argument can be
	given as textual login name.
	.sp
	Setting a
	.I uid
	or
	.I gid
	does not change capabilities, although the exec call at the end might change
	capabilities. This means that, if you are root, you probably want to do
	something like:
	.sp
	.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-caps=\-all"
	.TP
	.BR \-\-securebits " (" + \| \- ) \fIsecurebit ...
	Set or clear securebits. The argument is a comma-separated list.
	The valid securebits are
	.IR noroot ,
	.IR noroot_locked ,
	.IR no_setuid_fixup ,
	.IR no_setuid_fixup_locked ,
	and
	.IR keep_caps_locked .
	.I keep_caps
	is cleared by
	.BR execve (2)
	and is therefore not allowed.
	.TP
	.BI \-\-selinux\-label " label"
	Request a particular SELinux transition (using a transition on exec, not
	dyntrans). This will fail and cause
	.BR setpriv (1)
	to abort if SELinux is not in use, and the transition may be ignored or cause
	.BR execve (2)
	to fail at SELinux's whim. (In particular, this is unlikely to work in
	conjunction with
	.IR no_new_privs .)
	This is similar to
	.BR runcon (1).
	.TP
	.BI \-\-apparmor\-profile " profile"
	Request a particular AppArmor profile (using a transition on exec). This will
	fail and cause
	.BR setpriv (1)
	to abort if AppArmor is not in use, and the transition may be ignored or cause
	.BR execve (2)
	to fail at AppArmor's whim.
	.TP
	.BR \-V , " \-\-version"
	Display version information and exit.
	.TP
	.BR \-h , " \-\-help"
	Display help text and exit.
	.SH NOTES
	If applying any specified option fails,
	.I program
	will not be run and
	.B setpriv
	will return with exit code 127.
	.PP
	Be careful with this tool \-\- it may have unexpected security consequences.
	For example, setting no_new_privs and then execing a program that is
	SELinux\-confined (as this tool would do) may prevent the SELinux
	restrictions from taking effect.
	.SH SEE ALSO
	.BR prctl (2),
	.BR capability (7)
	.SH AUTHOR
	.MT luto@amacapital.net
	Andy Lutomirski
	.ME
	.SH AVAILABILITY
	The
	.B setpriv
	command is part of the util-linux package and is available from
	.UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
	Linux Kernel Archive
	.UE .