summaryrefslogtreecommitdiffstats
path: root/sys-utils/setpriv.1
diff options
context:
space:
mode:
Diffstat (limited to 'sys-utils/setpriv.1')
-rw-r--r--sys-utils/setpriv.1251
1 files changed, 251 insertions, 0 deletions
diff --git a/sys-utils/setpriv.1 b/sys-utils/setpriv.1
new file mode 100644
index 0000000..42d1a2f
--- /dev/null
+++ b/sys-utils/setpriv.1
@@ -0,0 +1,251 @@
+.TH SETPRIV 1 "July 2014" "util-linux" "User Commands"
+.SH NAME
+setpriv \- run a program with different Linux privilege settings
+.SH SYNOPSIS
+.B setpriv
+[options]
+.I program
+.RI [ arguments ]
+.SH DESCRIPTION
+Sets or queries various Linux privilege settings that are inherited across
+.BR execve (2).
+.PP
+In comparison to
+.BR su (1)
+and
+.BR runuser (1),
+.B setpriv
+neither uses PAM, nor does it prompt for a password.
+It is a simple, non-set-user-ID wrapper around
+.BR execve (2),
+and can be used to drop privileges in the same way as
+.BR setuidgid (8)
+from
+.BR daemontools ,
+.BR chpst (8)
+from
+.BR runit ,
+or similar tools shipped by other service managers.
+.SH OPTIONS
+.TP
+.B \-\-clear\-groups
+Clear supplementary groups.
+.TP
+.BR \-d , " \-\-dump"
+Dump the current privilege state.
+This option can be specified more than once to show extra,
+mostly useless, information. Incompatible with all other options.
+.TP
+.B \-\-groups \fIgroup\fR...
+Set supplementary groups. The argument is a comma-separated list of GIDs or names.
+.TP
+.BR \-\-inh\-caps " (" + | \- ) \fIcap "... or " \-\-ambient-caps " (" + | \- ) \fIcap "... or " \-\-bounding\-set " (" + | \- ) \fIcap ...
+Set the inheritable capabilities, ambient capabilities or the capability bounding set. See
+.BR capabilities (7).
+The argument is a comma-separated list of
+.BI + cap
+and
+.BI \- cap
+entries, which add or remove an entry respectively. \fIcap\fR can either be a
+human-readable name as seen in
+.BR capabilities (7)
+without the \fIcap_\fR prefix or of the format
+.BR cap_N ,
+where \fIN\fR is the internal capability index used by Linux.
+.B +all
+and
+.B \-all
+can be used to add or remove all caps.
+.IP
+The set of capabilities starts out as
+the current inheritable set for
+.BR \-\-inh\-caps ,
+the current ambient set for
+.B \-\-ambient\-caps
+and the current bounding set for
+.BR \-\-bounding\-set .
+.IP
+Note the following restrictions (detailed in
+.BR capabilities (7))
+regarding modifications to these capability sets:
+.RS
+.IP * 2
+A capability can be added to the inheritable set only if it is
+currently present in the bounding set.
+.IP *
+A capability can be added to the ambient set only if it is currently
+present in both the permitted and inheritable sets.
+.IP *
+Notwithstanding the syntax offered by
+.BR setpriv ,
+the kernel does not permit capabilities to be added to the bounding set.
+.RE
+.IP
+If you drop a capability from the bounding set without also dropping it from the
+inheritable set, you are likely to become confused. Do not do that.
+.TP
+.B \-\-keep\-groups
+Preserve supplementary groups. Only useful in conjunction with
+.BR \-\-rgid ,
+.BR \-\-egid ", or"
+.BR \-\-regid .
+.TP
+.B \-\-init\-groups
+Initialize supplementary groups using
+.BR initgroups "(3)."
+Only useful in conjunction with
+.B \-\-ruid
+or
+.BR \-\-reuid .
+.TP
+.B \-\-list\-caps
+List all known capabilities. This option must be specified alone.
+.TP
+.B \-\-no\-new\-privs
+Set the
+.I no_new_privs
+bit. With this bit set,
+.BR execve (2)
+will not grant new privileges.
+For example, the set-user-ID and set-group-ID bits as well
+as file capabilities will be disabled. (Executing binaries with these bits set
+will still work, but they will not gain privileges. Certain LSMs, especially
+AppArmor, may result in failures to execute certain programs.) This bit is
+inherited by child processes and cannot be unset. See
+.BR prctl (2)
+and
+.I Documentation/\:prctl/\:no_\:new_\:privs.txt
+in the Linux kernel source.
+.sp
+The
+.I no_new_privs
+bit is supported since Linux 3.5.
+.TP
+.BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid"
+Set the real, effective, or both GIDs. The \fIgid\fR argument can be
+given as a textual group name.
+.sp
+For safety, you must specify one of
+.BR \-\-clear\-groups ,
+.BR \-\-groups ,
+.BR \-\-keep\-groups ", or"
+.B \-\-init\-groups
+if you set any primary
+.IR gid .
+.TP
+.BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid"
+Set the real, effective, or both UIDs. The \fIuid\fR argument can be
+given as a textual login name.
+.sp
+Setting a
+.I uid
+or
+.I gid
+does not change capabilities, although the exec call at the end might change
+capabilities. This means that, if you are root, you probably want to do
+something like:
+.sp
+.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-inh\-caps=\-all"
+.TP
+.BR \-\-securebits " (" + | \- ) \fIsecurebit ...
+Set or clear securebits. The argument is a comma-separated list.
+The valid securebits are
+.IR noroot ,
+.IR noroot_locked ,
+.IR no_setuid_fixup ,
+.IR no_setuid_fixup_locked ,
+and
+.IR keep_caps_locked .
+.I keep_caps
+is cleared by
+.BR execve (2)
+and is therefore not allowed.
+.TP
+.BR "\-\-pdeathsig keep" | clear | <signal>
+Keep, clear or set the parent death signal. Some LSMs, most notably SELinux and
+AppArmor, clear the signal when the process' credentials change. Using
+\fB\-\-pdeathsig keep\fR will restore the parent death signal after changing
+credentials to remedy that situation.
+.TP
+.BI \-\-selinux\-label " label"
+Request a particular SELinux transition (using a transition on exec, not
+dyntrans). This will fail and cause
+.B setpriv
+to abort if SELinux is not in use, and the transition may be ignored or cause
+.BR execve (2)
+to fail at SELinux's whim. (In particular, this is unlikely to work in
+conjunction with
+.IR no_new_privs .)
+This is similar to
+.BR runcon (1).
+.TP
+.BI \-\-apparmor\-profile " profile"
+Request a particular AppArmor profile (using a transition on exec). This will
+fail and cause
+.B setpriv
+to abort if AppArmor is not in use, and the transition may be ignored or cause
+.BR execve (2)
+to fail at AppArmor's whim.
+.TP
+.B \-\-reset\-env
+Clears all the environment variables except TERM; initializes the environment variables HOME, SHELL, USER, LOGNAME
+according to the user's passwd entry; sets PATH to \fI/usr/local/bin:/bin:/usr/bin\fR for a regular user and to
+\fI/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\fR for root.
+.sp
+The environment variable PATH may be different on systems where
+.I /bin
+and
+.I /sbin
+are merged into
+.IR /usr .
+The environment variable SHELL defaults to \fI/bin/sh\fR if none is given in the user's
+passwd entry.
+.TP
+.BR \-V , " \-\-version"
+Display version information and exit.
+.TP
+.BR \-h , " \-\-help"
+Display help text and exit.
+.SH NOTES
+If applying any specified option fails,
+.I program
+will not be run and
+.B setpriv
+will return with exit status 127.
+.PP
+Be careful with this tool \-\- it may have unexpected security consequences.
+For example, setting
+.I no_new_privs
+and then execing a program that is
+SELinux\-confined (as this tool would do) may prevent the SELinux
+restrictions from taking effect.
+.SH EXAMPLES
+If you're looking for behaviour similar to
+.BR su (1)/ runuser "(1), or " sudo (8)
+(without the
+.B \-g
+option), try something like:
+.sp
+.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-init\-groups"
+.PP
+If you want to mimic daemontools'
+.BR setuid (8),
+try:
+.sp
+.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-clear\-groups"
+.SH AUTHORS
+.MT luto@amacapital.net
+Andy Lutomirski
+.ME
+.SH SEE ALSO
+.BR runuser (1),
+.BR su (1),
+.BR prctl (2),
+.BR capabilities (7)
+.SH AVAILABILITY
+The
+.B setpriv
+command is part of the util-linux package and is available from
+.UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
+Linux Kernel Archive
+.UE .