223 lines
6.6 KiB
Groff
223 lines
6.6 KiB
Groff
.TH SETPRIV 1 "July 2014" "util-linux" "User Commands"
|
|
.SH NAME
|
|
setpriv \- run a program with different Linux privilege settings
|
|
.SH SYNOPSIS
|
|
.B setpriv
|
|
[options]
|
|
.I program
|
|
.RI [ arguments ]
|
|
.SH DESCRIPTION
|
|
Sets or queries various Linux privilege settings that are inherited across
|
|
.BR execve (2).
|
|
.PP
|
|
In comparison to
|
|
.BR su (1)
|
|
and
|
|
.BR runuser (1),
|
|
.BR setpriv (1)
|
|
neither uses PAM, nor does it prompt for a password.
|
|
It is a simple, non-set-user-ID wrapper around
|
|
.BR execve (2),
|
|
and can be used to drop privileges in the same way as
|
|
.BR setuidgid (8)
|
|
from
|
|
.BR daemontools ,
|
|
.BR chpst (8)
|
|
from
|
|
.BR runit ,
|
|
or similar tools shipped by other service managers.
|
|
.SH OPTION
|
|
.TP
|
|
.B \-\-clear\-groups
|
|
Clear supplementary groups.
|
|
.TP
|
|
.BR \-d , " \-\-dump"
|
|
Dump current privilege state. Can be specified more than once to show extra,
|
|
mostly useless, information. Incompatible with all other options.
|
|
.TP
|
|
.B \-\-groups \fIgroup\fR...
|
|
Set supplementary groups. The argument is a comma-separated list of GIDs or names.
|
|
.TP
|
|
.BR \-\-inh\-caps " (" + | \- ) \fIcap "... or " \-\-ambient-caps " (" + | \- ) \fIcap "... or " \-\-bounding\-set " (" + | \- ) \fIcap ...
|
|
Set the inheritable capabilities, ambient capabilities or the capability bounding set. See
|
|
.BR capabilities (7).
|
|
The argument is a comma-separated list of
|
|
.BI + cap
|
|
and
|
|
.BI \- cap
|
|
entries, which add or remove an entry respectively. \fIcap\fR can either be a
|
|
human-readable name as seen in
|
|
.BR capabilities (7)
|
|
without the \fIcap_\fR prefix or of the format
|
|
.BI cap_N ,
|
|
where \fIN\fR is the internal capability index used by Linux.
|
|
.B +all
|
|
and
|
|
.B \-all
|
|
can be used to add or remove all caps. The set of capabilities starts out as
|
|
the current inheritable set for
|
|
.BR \-\-inh\-caps ,
|
|
the current ambient set for
|
|
.B \-\-ambient\-caps
|
|
and the current bounding set for
|
|
.BR \-\-bounding\-set .
|
|
If you drop something from the bounding set without also dropping it from the
|
|
inheritable set, you are likely to become confused. Do not do that.
|
|
.TP
|
|
.B \-\-keep\-groups
|
|
Preserve supplementary groups. Only useful in conjunction with
|
|
.BR \-\-rgid ,
|
|
.BR \-\-egid ", or"
|
|
.BR \-\-regid .
|
|
.TP
|
|
.B \-\-init\-groups
|
|
Initialize supplementary groups using
|
|
.BR initgroups "(3)."
|
|
Only useful in conjunction with
|
|
.B \-\-ruid
|
|
or
|
|
.BR \-\-reuid .
|
|
.TP
|
|
.B \-\-list\-caps
|
|
List all known capabilities. This option must be specified alone.
|
|
.TP
|
|
.B \-\-no\-new\-privs
|
|
Set the
|
|
.I no_new_privs
|
|
bit. With this bit set,
|
|
.BR execve (2)
|
|
will not grant new privileges.
|
|
For example, the set-user-ID and set-group-ID bits as well
|
|
as file capabilities will be disabled. (Executing binaries with these bits set
|
|
will still work, but they will not gain privileges. Certain LSMs, especially
|
|
AppArmor, may result in failures to execute certain programs.) This bit is
|
|
inherited by child processes and cannot be unset. See
|
|
.BR prctl (2)
|
|
and
|
|
.I Documentation/\:prctl/\:no_\:new_\:privs.txt
|
|
in the Linux kernel source.
|
|
.sp
|
|
The no_new_privs bit is supported since Linux 3.5.
|
|
.TP
|
|
.BI \-\-rgid " gid\fR, " \-\-egid " gid\fR, " \-\-regid " gid"
|
|
Set the real, effective, or both GIDs. The \fIgid\fR argument can be
|
|
given as textual group name.
|
|
.sp
|
|
For safety, you must specify one of
|
|
.BR \-\-clear\-groups ,
|
|
.BR \-\-groups ,
|
|
.BR \-\-keep\-groups ", or"
|
|
.B \-\-init\-groups
|
|
if you set any primary
|
|
.IR gid .
|
|
.TP
|
|
.BI \-\-ruid " uid\fR, " \-\-euid " uid\fR, " \-\-reuid " uid"
|
|
Set the real, effective, or both UIDs. The \fIuid\fR argument can be
|
|
given as textual login name.
|
|
.sp
|
|
Setting a
|
|
.I uid
|
|
or
|
|
.I gid
|
|
does not change capabilities, although the exec call at the end might change
|
|
capabilities. This means that, if you are root, you probably want to do
|
|
something like:
|
|
.sp
|
|
.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-inh\-caps=\-all"
|
|
.TP
|
|
.BR \-\-securebits " (" + | \- ) \fIsecurebit ...
|
|
Set or clear securebits. The argument is a comma-separated list.
|
|
The valid securebits are
|
|
.IR noroot ,
|
|
.IR noroot_locked ,
|
|
.IR no_setuid_fixup ,
|
|
.IR no_setuid_fixup_locked ,
|
|
and
|
|
.IR keep_caps_locked .
|
|
.I keep_caps
|
|
is cleared by
|
|
.BR execve (2)
|
|
and is therefore not allowed.
|
|
.TP
|
|
.BR "\-\-pdeathsig keep" | clear | <signal>
|
|
Keep, clear or set the parent death signal. Some LSMs, most notably SELinux and
|
|
AppArmor, clear the signal when the process' credentials change. Using
|
|
\fB--pdeathsig keep\fR will restore the parent death signal after changing
|
|
credentials to remedy that situation.
|
|
.TP
|
|
.BI \-\-selinux\-label " label"
|
|
Request a particular SELinux transition (using a transition on exec, not
|
|
dyntrans). This will fail and cause
|
|
.BR setpriv (1)
|
|
to abort if SELinux is not in use, and the transition may be ignored or cause
|
|
.BR execve (2)
|
|
to fail at SELinux's whim. (In particular, this is unlikely to work in
|
|
conjunction with
|
|
.IR no_new_privs .)
|
|
This is similar to
|
|
.BR runcon (1).
|
|
.TP
|
|
.BI \-\-apparmor\-profile " profile"
|
|
Request a particular AppArmor profile (using a transition on exec). This will
|
|
fail and cause
|
|
.BR setpriv (1)
|
|
to abort if AppArmor is not in use, and the transition may be ignored or cause
|
|
.BR execve (2)
|
|
to fail at AppArmor's whim.
|
|
.TP
|
|
.BI \-\-reset\-env
|
|
Clears all the environment variables except TERM; initializes the environment variables HOME, SHELL, USER, LOGNAME
|
|
according to the user's passwd entry; sets PATH to \fI/usr/local/bin:/bin:/usr/bin\fR for a regual user and to
|
|
\fI/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\fR for root.
|
|
.sp
|
|
The environment variable PATH may be different on systems where /bin and /sbin
|
|
are merged into /usr. The environment variable SHELL defaults to \fI/bin/sh\fR if none is given in the user's
|
|
passwd entry.
|
|
.TP
|
|
.BR \-V , " \-\-version"
|
|
Display version information and exit.
|
|
.TP
|
|
.BR \-h , " \-\-help"
|
|
Display help text and exit.
|
|
.SH NOTES
|
|
If applying any specified option fails,
|
|
.I program
|
|
will not be run and
|
|
.B setpriv
|
|
will return with exit code 127.
|
|
.PP
|
|
Be careful with this tool \-\- it may have unexpected security consequences.
|
|
For example, setting no_new_privs and then execing a program that is
|
|
SELinux\-confined (as this tool would do) may prevent the SELinux
|
|
restrictions from taking effect.
|
|
.SH EXAMPLE
|
|
If you're looking for behaviour similar to
|
|
.BR su (1)/ runuser "(1), or " sudo (8)
|
|
(without the
|
|
.B -g
|
|
option), try something like:
|
|
.sp
|
|
.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-init\-groups"
|
|
.PP
|
|
If you want to mimic daemontools'
|
|
.BR setuid (8),
|
|
try:
|
|
.sp
|
|
.B " setpriv \-\-reuid=1000 \-\-regid=1000 \-\-clear\-groups"
|
|
.SH SEE ALSO
|
|
.BR runuser (1),
|
|
.BR su (1),
|
|
.BR prctl (2),
|
|
.BR capabilities (7)
|
|
.SH AUTHOR
|
|
.MT luto@amacapital.net
|
|
Andy Lutomirski
|
|
.ME
|
|
.SH AVAILABILITY
|
|
The
|
|
.B setpriv
|
|
command is part of the util-linux package and is available from
|
|
.UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
|
|
Linux Kernel Archive
|
|
.UE .
|