1SETPRIV(1) User Commands SETPRIV(1)
2
6 setpriv - run a program with different Linux privilege settings
7
9 setpriv [options] program [arguments]
10
12 Sets or queries various Linux privilege settings that are inherited
13 across execve(2).
14 In comparison to su(1) and runuser(1), setpriv neither uses PAM, nor
16 does it prompt for a password. It is a simple, non-set-user-ID wrapper
17 around execve(2), and can be used to drop privileges in the same way as
18 setuidgid(8) from daemontools, chpst(8) from runit, or similar tools
19 shipped by other service managers.
20
22 --clear-groups
23 Clear supplementary groups.
24 -d, --dump
26 Dump the current privilege state. This option can be specified
27 more than once to show extra, mostly useless, information.
28 Incompatible with all other options.
29 --groups group...
31 Set supplementary groups. The argument is a comma-separated
32 list of GIDs or names.
33 --inh-caps (+|-)cap... or --ambient-caps (+|-)cap... or --bound‐
35 ing-set (+|-)cap...
36 Set the inheritable capabilities, ambient capabilities or the
37 capability bounding set. See capabilities(7). The argument is
38 a comma-separated list of +cap and -cap entries, which add or
39 remove an entry respectively. cap can either be a human-readable
40 name as seen in capabilities(7) without the cap_ prefix or of
41 the format cap_N, where N is the internal capability index used
42 by Linux. +all and -all can be used to add or remove all caps.
43 The set of capabilities starts out as the current inheritable
45 set for --inh-caps, the current ambient set for --ambient-caps
46 and the current bounding set for --bounding-set.
47 Note the following restrictions (detailed in capabilities(7))
49 regarding modifications to these capability sets:
50 * A capability can be added to the inheritable set only if it is
52 currently present in the bounding set.
53 * A capability can be added to the ambient set only if it is
55 currently present in both the permitted and inheritable sets.
56 * Notwithstanding the syntax offered by setpriv, the kernel does
58 not permit capabilities to be added to the bounding set.
59 If you drop a capability from the bounding set without also
61 dropping it from the inheritable set, you are likely to become
62 confused. Do not do that.
63 --keep-groups
65 Preserve supplementary groups. Only useful in conjunction with
66 --rgid, --egid, or --regid.
67 --init-groups
69 Initialize supplementary groups using initgroups(3). Only use‐
70 ful in conjunction with --ruid or --reuid.
71 --list-caps
73 List all known capabilities. This option must be specified
74 alone.
75 --no-new-privs
77 Set the no_new_privs bit. With this bit set, execve(2) will not
78 grant new privileges. For example, the set-user-ID and set-
79 group-ID bits as well as file capabilities will be disabled.
80 (Executing binaries with these bits set will still work, but
81 they will not gain privileges. Certain LSMs, especially AppAr‐
82 mor, may result in failures to execute certain programs.) This
83 bit is inherited by child processes and cannot be unset. See
84 prctl(2) and Documentation/prctl/no_new_privs.txt in the Linux
85 kernel source.
86 The no_new_privs bit is supported since Linux 3.5.
88 --rgid gid, --egid gid, --regid gid
90 Set the real, effective, or both GIDs. The gid argument can be
91 given as a textual group name.
92 For safety, you must specify one of --clear-groups, --groups,
94 --keep-groups, or --init-groups if you set any primary gid.
95 --ruid uid, --euid uid, --reuid uid
97 Set the real, effective, or both UIDs. The uid argument can be
98 given as a textual login name.
99 Setting a uid or gid does not change capabilities, although the
101 exec call at the end might change capabilities. This means
102 that, if you are root, you probably want to do something like:
103 setpriv --reuid=1000 --regid=1000 --inh-caps=-all
105 --securebits (+|-)securebit...
107 Set or clear securebits. The argument is a comma-separated
108 list. The valid securebits are noroot, noroot_locked,
109 no_setuid_fixup, no_setuid_fixup_locked, and keep_caps_locked.
110 keep_caps is cleared by execve(2) and is therefore not allowed.
111 --pdeathsig keep|clear|<signal>
113 Keep, clear or set the parent death signal. Some LSMs, most
114 notably SELinux and AppArmor, clear the signal when the process'
115 credentials change. Using --pdeathsig keep will restore the
116 parent death signal after changing credentials to remedy that
117 situation.
118 --selinux-label label
120 Request a particular SELinux transition (using a transition on
121 exec, not dyntrans). This will fail and cause setpriv to abort
122 if SELinux is not in use, and the transition may be ignored or
123 cause execve(2) to fail at SELinux's whim. (In particular, this
124 is unlikely to work in conjunction with no_new_privs.) This is
125 similar to runcon(1).
126 --apparmor-profile profile
128 Request a particular AppArmor profile (using a transition on
129 exec). This will fail and cause setpriv to abort if AppArmor is
130 not in use, and the transition may be ignored or cause execve(2)
131 to fail at AppArmor's whim.
132 --reset-env
134 Clears all the environment variables except TERM; initializes
135 the environment variables HOME, SHELL, USER, LOGNAME according
136 to the user's passwd entry; sets PATH to
137 /usr/local/bin:/bin:/usr/bin for a regular user and to
138 /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin for
139 root.
140 The environment variable PATH may be different on systems where
142 /bin and /sbin are merged into /usr. The environment variable
143 SHELL defaults to /bin/sh if none is given in the user's passwd
144 entry.
145 -V, --version
147 Display version information and exit.
148 -h, --help
150 Display help text and exit.
151
153 If applying any specified option fails, program will not be run and
154 setpriv will return with exit status 127.
155 Be careful with this tool -- it may have unexpected security conse‐
157 quences. For example, setting no_new_privs and then execing a program
158 that is SELinux-confined (as this tool would do) may prevent the
159 SELinux restrictions from taking effect.
160
162 If you're looking for behaviour similar to su(1)/runuser(1), or sudo(8)
163 (without the -g option), try something like:
164 setpriv --reuid=1000 --regid=1000 --init-groups
166 If you want to mimic daemontools' setuid(8), try:
168 setpriv --reuid=1000 --regid=1000 --clear-groups
170
172 Andy Lutomirski ⟨luto@amacapital.net⟩
173
175 runuser(1), su(1), prctl(2), capabilities(7)
176
178 The setpriv command is part of the util-linux package and is available
179 from Linux Kernel Archive ⟨https://www.kernel.org/pub/linux/utils/util-
180 linux/⟩.
181util-linux July 2014 SETPRIV(1)