diff options
Diffstat (limited to 'sys-utils/setpriv.1')
-rw-r--r-- | sys-utils/setpriv.1 | 251 |
1 files changed, 251 insertions, 0 deletions
diff --git a/sys-utils/setpriv.1 b/sys-utils/setpriv.1 new file mode 100644 index 0000000..42d1a2f --- /dev/null +++ b/sys-utils/setpriv.1 @@ -0,0 +1,251 @@ +.TH SETPRIV 1 "July 2014" "util-linux" "User Commands" +.SH NAME +setpriv \- run a program with different Linux privilege settings +.SH SYNOPSIS +.B setpriv +[options] +.I program +.RI [ arguments ] +.SH DESCRIPTION +Sets or queries various Linux privilege settings that are inherited across +.BR execve (2). +.PP +In comparison to +.BR su (1) +and +.BR runuser (1), +.B setpriv +neither uses PAM, nor does it prompt for a password. +It is a simple, non-set-user-ID wrapper around +.BR execve (2), +and can be used to drop privileges in the same way as +.BR setuidgid (8) +from +.BR daemontools , +.BR chpst (8) +from +.BR runit , +or similar tools shipped by other service managers. +.SH OPTIONS +.TP +.B \-\-clear\-groups +Clear supplementary groups. +.TP +.BR \-d , " \-\-dump" +Dump the current privilege state. +This option can be specified more than once to show extra, +mostly useless, information. Incompatible with all other options. +.TP +.B \-\-groups \fIgroup\fR... +Set supplementary groups. The argument is a comma-separated list of GIDs or names. +.TP +.BR \-\-inh\-caps " (" + | \- ) \fIcap "... or " \-\-ambient-caps " (" + | \- ) \fIcap "... or " \-\-bounding\-set " (" + | \- ) \fIcap ... +Set the inheritable capabilities, ambient capabilities or the capability bounding set. See +.BR capabilities (7). +The argument is a comma-separated list of +.BI + cap +and +.BI \- cap +entries, which add or remove an entry respectively. \fIcap\fR can either be a +human-readable name as seen in +.BR capabilities (7) +without the \fIcap_\fR prefix or of the format +.BR cap_N , +where \fIN\fR is the internal capability index used by Linux. +.B +all +and +.B \-all +can be used to add or remove all caps. +.IP +The set of capabilities starts out as +the current inheritable set for +.BR \-\-inh\-caps , +the current ambient set for +.B \-\-ambient\-caps +and the current bounding set for +.BR \-\-bounding\-set . +.IP +Note the following restrictions (detailed in +.BR capabilities (7)) +regarding modifications to these capability sets: +.RS +.IP * 2 +A capability can be added to the inheritable set only if it is +currently present in the bounding set. +.IP * +A capability can be added to the ambient set only if it is currently +present in both the permitted and inheritable sets. +.IP * +Notwithstanding the syntax offered by +.BR setpriv , +the kernel does not permit capabilities to be added to the bounding set. +.RE +.IP +If you drop a capability from the bounding set without also dropping it from the +inheritable set, you are likely to become confused. Do not do that. +.TP +.B \-\-keep\-groups +Preserve supplementary groups. Only useful in conjunction with +.BR \-\-rgid , +.BR \-\-egid ", or" +.BR \-\-regid . +.TP +.B \-\-init\-groups +Initialize supplementary groups using +.BR initgroups "(3)." +Only useful in conjunction with +.B \-\-ruid +or +.BR \-\-reuid . +.TP +.B \-\-list\-caps +List all known capabilities. This option must be specified alone. +.TP +.B \-\-no\-new\-privs +Set the +.I no_new_privs +bit. With this bit set, +.BR execve (2) +will not grant new privileges. +For example, the set-user-ID and set-group-ID bits as well +as file capabilities will be disabled. (Executing binaries with these bits set +will still work, but they will not gain privileges. Certain LSMs, especially +AppArmor, may result in failures to execute certain programs.) This bit is +inherited by child processes and cannot be unset. See +.BR prctl (2) +and +.I Documentation/\:prctl/\:no_\:new_\:privs.txt +in the Linux kernel source. +.sp +The +.I no_new_privs +bit is supported since Linux 3.5. +.TP +.BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid" +Set the real, effective, or both GIDs. The \fIgid\fR argument can be +given as a textual group name. +.sp +For safety, you must specify one of +.BR \-\-clear\-groups , +.BR \-\-groups , +.BR \-\-keep\-groups ", or" +.B \-\-init\-groups +if you set any primary +.IR gid . +.TP +.BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid" +Set the real, effective, or both UIDs. The \fIuid\fR argument can be +given as a textual login name. +.sp +Setting a +.I uid +or +.I gid +does not change capabilities, although the exec call at the end might change +capabilities. This means that, if you are root, you probably want to do +something like: +.sp +.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-inh\-caps=\-all" +.TP +.BR \-\-securebits " (" + | \- ) \fIsecurebit ... +Set or clear securebits. The argument is a comma-separated list. +The valid securebits are +.IR noroot , +.IR noroot_locked , +.IR no_setuid_fixup , +.IR no_setuid_fixup_locked , +and +.IR keep_caps_locked . +.I keep_caps +is cleared by +.BR execve (2) +and is therefore not allowed. +.TP +.BR "\-\-pdeathsig keep" | clear | <signal> +Keep, clear or set the parent death signal. Some LSMs, most notably SELinux and +AppArmor, clear the signal when the process' credentials change. Using +\fB\-\-pdeathsig keep\fR will restore the parent death signal after changing +credentials to remedy that situation. +.TP +.BI \-\-selinux\-label " label" +Request a particular SELinux transition (using a transition on exec, not +dyntrans). This will fail and cause +.B setpriv +to abort if SELinux is not in use, and the transition may be ignored or cause +.BR execve (2) +to fail at SELinux's whim. (In particular, this is unlikely to work in +conjunction with +.IR no_new_privs .) +This is similar to +.BR runcon (1). +.TP +.BI \-\-apparmor\-profile " profile" +Request a particular AppArmor profile (using a transition on exec). This will +fail and cause +.B setpriv +to abort if AppArmor is not in use, and the transition may be ignored or cause +.BR execve (2) +to fail at AppArmor's whim. +.TP +.B \-\-reset\-env +Clears all the environment variables except TERM; initializes the environment variables HOME, SHELL, USER, LOGNAME +according to the user's passwd entry; sets PATH to \fI/usr/local/bin:/bin:/usr/bin\fR for a regular user and to +\fI/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\fR for root. +.sp +The environment variable PATH may be different on systems where +.I /bin +and +.I /sbin +are merged into +.IR /usr . +The environment variable SHELL defaults to \fI/bin/sh\fR if none is given in the user's +passwd entry. +.TP +.BR \-V , " \-\-version" +Display version information and exit. +.TP +.BR \-h , " \-\-help" +Display help text and exit. +.SH NOTES +If applying any specified option fails, +.I program +will not be run and +.B setpriv +will return with exit status 127. +.PP +Be careful with this tool \-\- it may have unexpected security consequences. +For example, setting +.I no_new_privs +and then execing a program that is +SELinux\-confined (as this tool would do) may prevent the SELinux +restrictions from taking effect. +.SH EXAMPLES +If you're looking for behaviour similar to +.BR su (1)/ runuser "(1), or " sudo (8) +(without the +.B \-g +option), try something like: +.sp +.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-init\-groups" +.PP +If you want to mimic daemontools' +.BR setuid (8), +try: +.sp +.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-clear\-groups" +.SH AUTHORS +.MT luto@amacapital.net +Andy Lutomirski +.ME +.SH SEE ALSO +.BR runuser (1), +.BR su (1), +.BR prctl (2), +.BR capabilities (7) +.SH AVAILABILITY +The +.B setpriv +command is part of the util-linux package and is available from +.UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/ +Linux Kernel Archive +.UE . |