1SETPRIV(1) User Commands SETPRIV(1)
2
6 setpriv - run a program with different Linux privilege settings
7
9 setpriv [options] program [arguments]
10
12 Sets or queries various Linux privilege settings that are inherited
13 across execve(2).
14 In comparison to su(1) and runuser(1), setpriv(1) neither uses PAM, nor
16 does it prompt for a password. It is a simple, non-set-user-ID wrapper
17 around execve(2), and can be used to drop privileges in the same way as
18 setuidgid(8) from daemontools, chpst(8) from runit, or similar tools
19 shipped by other service managers.
20
22 --clear-groups
23 Clear supplementary groups.
24 -d, --dump
26 Dump current privilege state. Can be specified more than once
27 to show extra, mostly useless, information. Incompatible with
28 all other options.
29 --groups group...
31 Set supplementary groups. The argument is a comma-separated
32 list.
33 --inh-caps (+|-)cap... or --ambient-caps (+|-)cap... or --bound‐
35 ing-set (+|-)cap...
36 Set the inheritable capabilities, ambient capabilities or the
37 capability bounding set. See capabilities(7). The argument is
38 a comma-separated list of +cap and -cap entries, which add or
39 remove an entry respectively. cap can either be a human-readable
40 name as seen in capabilities(7) without the cap_ prefix or of
41 the format cap_N, where N is the internal capability index used
42 by Linux. +all and -all can be used to add or remove all caps.
43 The set of capabilities starts out as the current inheritable
44 set for --inh-caps, the current ambient set for --ambient-caps
45 and the current bounding set for --bounding-set. If you drop
46 something from the bounding set without also dropping it from
47 the inheritable set, you are likely to become confused. Do not
48 do that.
49 --keep-groups
51 Preserve supplementary groups. Only useful in conjunction with
52 --rgid, --egid, or --regid.
53 --init-groups
55 Initialize supplementary groups using initgroups(3). Only use‐
56 ful in conjunction with --ruid or --reuid.
57 --list-caps
59 List all known capabilities. This option must be specified
60 alone.
61 --no-new-privs
63 Set the no_new_privs bit. With this bit set, execve(2) will not
64 grant new privileges. For example, the set-user-ID and set-
65 group-ID bits as well as file capabilities will be disabled.
66 (Executing binaries with these bits set will still work, but
67 they will not gain privileges. Certain LSMs, especially AppAr‐
68 mor, may result in failures to execute certain programs.) This
69 bit is inherited by child processes and cannot be unset. See
70 prctl(2) and Documentation/prctl/no_new_privs.txt in the Linux
71 kernel source.
72 The no_new_privs bit is supported since Linux 3.5.
74 --rgid gid, --egid gid, --regid gid
76 Set the real, effective, or both GIDs. The gid argument can be
77 given as textual group name.
78 For safety, you must specify one of --clear-groups, --groups,
80 --keep-groups, or --init-groups if you set any primary gid.
81 --ruid uid, --euid uid, --reuid uid
83 Set the real, effective, or both UIDs. The uid argument can be
84 given as textual login name.
85 Setting a uid or gid does not change capabilities, although the
87 exec call at the end might change capabilities. This means
88 that, if you are root, you probably want to do something like:
89 setpriv --reuid=1000 --regid=1000 --inh-caps=-all
91 --securebits (+|-)securebit...
93 Set or clear securebits. The argument is a comma-separated
94 list. The valid securebits are noroot, noroot_locked,
95 no_setuid_fixup, no_setuid_fixup_locked, and keep_caps_locked.
96 keep_caps is cleared by execve(2) and is therefore not allowed.
97 --selinux-label label
99 Request a particular SELinux transition (using a transition on
100 exec, not dyntrans). This will fail and cause setpriv(1) to
101 abort if SELinux is not in use, and the transition may be
102 ignored or cause execve(2) to fail at SELinux's whim. (In par‐
103 ticular, this is unlikely to work in conjunction with
104 no_new_privs.) This is similar to runcon(1).
105 --apparmor-profile profile
107 Request a particular AppArmor profile (using a transition on
108 exec). This will fail and cause setpriv(1) to abort if AppArmor
109 is not in use, and the transition may be ignored or cause
110 execve(2) to fail at AppArmor's whim.
111 -V, --version
113 Display version information and exit.
114 -h, --help
116 Display help text and exit.
117
119 If applying any specified option fails, program will not be run and
120 setpriv will return with exit code 127.
121 Be careful with this tool -- it may have unexpected security conse‐
123 quences. For example, setting no_new_privs and then execing a program
124 that is SELinux-confined (as this tool would do) may prevent the
125 SELinux restrictions from taking effect.
126
128 If you're looking for behaviour similar to su(1)/runuser(1), or sudo(8)
129 (without the -g option), try something like:
130 setpriv --reuid=1000 --regid=1000 --init-groups
132 If you want to mimic daemontools' setuid(8), try:
134 setpriv --reuid=1000 --regid=1000 --clear-groups
136
138 runuser(1), su(1), prctl(2), capabilities(7)
139
141 Andy Lutomirski ⟨luto@amacapital.net⟩
142
144 The setpriv command is part of the util-linux package and is available
145 from Linux Kernel Archive ⟨https://www.kernel.org/pub/linux/utils/util-
146 linux/⟩.
147util-linux July 2014 SETPRIV(1)