1SETPRIV(1)                       User Commands                      SETPRIV(1)
2
3
4

NAME

6       setpriv - run a program with different Linux privilege settings
7

SYNOPSIS

9       setpriv [options] program [arguments]
10

DESCRIPTION

12       Sets  or  queries  various  Linux privilege settings that are inherited
13       across execve(2).
14
15       In comparison to su(1) and runuser(1), setpriv(1) neither uses PAM, nor
16       does it prompt for a password.  It is a simple, non-set-user-ID wrapper
17       around execve(2), and can be used to drop privileges in the same way as
18       setuidgid(8)  from  daemontools,  chpst(8) from runit, or similar tools
19       shipped by other service managers.
20

OPTION

22       --clear-groups
23              Clear supplementary groups.
24
25       -d, --dump
26              Dump current privilege state.  Can be specified more  than  once
27              to  show  extra, mostly useless, information.  Incompatible with
28              all other options.
29
30       --groups group...
31              Set supplementary groups.  The  argument  is  a  comma-separated
32              list.
33
34       --inh-caps  (+|-)cap...   or   --ambient-caps (+|-)cap...  or  --bound‐
35       ing-set (+|-)cap...
36              Set the inheritable capabilities, ambient  capabilities  or  the
37              capability  bounding set.  See capabilities(7).  The argument is
38              a comma-separated list of +cap and -cap entries,  which  add  or
39              remove an entry respectively. cap can either be a human-readable
40              name as seen in capabilities(7) without the cap_  prefix  or  of
41              the  format cap_N, where N is the internal capability index used
42              by Linux.  +all and -all can be used to add or remove all  caps.
43              The  set  of  capabilities starts out as the current inheritable
44              set for --inh-caps, the current ambient set  for  --ambient-caps
45              and  the  current  bounding set for --bounding-set.  If you drop
46              something from the bounding set without also  dropping  it  from
47              the  inheritable set, you are likely to become confused.  Do not
48              do that.
49
50       --keep-groups
51              Preserve supplementary groups.  Only useful in conjunction  with
52              --rgid, --egid, or --regid.
53
54       --init-groups
55              Initialize  supplementary groups using initgroups(3).  Only use‐
56              ful in conjunction with --ruid or --reuid.
57
58       --list-caps
59              List all known capabilities.   This  option  must  be  specified
60              alone.
61
62       --no-new-privs
63              Set the no_new_privs bit.  With this bit set, execve(2) will not
64              grant new privileges.  For example,  the  set-user-ID  and  set-
65              group-ID  bits  as  well  as file capabilities will be disabled.
66              (Executing binaries with these bits set  will  still  work,  but
67              they  will not gain privileges.  Certain LSMs, especially AppAr‐
68              mor, may result in failures to execute certain programs.)   This
69              bit  is  inherited  by child processes and cannot be unset.  See
70              prctl(2) and Documentation/prctl/no_new_privs.txt in  the  Linux
71              kernel source.
72
73              The no_new_privs bit is supported since Linux 3.5.
74
75       --rgid gid, --egid gid, --regid gid
76              Set  the real, effective, or both GIDs.  The gid argument can be
77              given as textual group name.
78
79              For safety, you must specify one  of  --clear-groups,  --groups,
80              --keep-groups, or --init-groups if you set any primary gid.
81
82       --ruid uid, --euid uid, --reuid uid
83              Set  the real, effective, or both UIDs.  The uid argument can be
84              given as textual login name.
85
86              Setting a uid or gid does not change capabilities, although  the
87              exec  call  at  the  end  might change capabilities.  This means
88              that, if you are root, you probably want to do something like:
89
90                      setpriv --reuid=1000 --regid=1000 --inh-caps=-all
91
92       --securebits (+|-)securebit...
93              Set or clear securebits.   The  argument  is  a  comma-separated
94              list.    The   valid   securebits   are  noroot,  noroot_locked,
95              no_setuid_fixup, no_setuid_fixup_locked,  and  keep_caps_locked.
96              keep_caps is cleared by execve(2) and is therefore not allowed.
97
98       --selinux-label label
99              Request  a  particular SELinux transition (using a transition on
100              exec, not dyntrans).  This will fail  and  cause  setpriv(1)  to
101              abort  if  SELinux  is  not  in  use,  and the transition may be
102              ignored or cause execve(2) to fail at SELinux's whim.  (In  par‐
103              ticular,   this   is   unlikely  to  work  in  conjunction  with
104              no_new_privs.)  This is similar to runcon(1).
105
106       --apparmor-profile profile
107              Request a particular AppArmor profile  (using  a  transition  on
108              exec).  This will fail and cause setpriv(1) to abort if AppArmor
109              is not in use, and  the  transition  may  be  ignored  or  cause
110              execve(2) to fail at AppArmor's whim.
111
112       -V, --version
113              Display version information and exit.
114
115       -h, --help
116              Display help text and exit.
117

NOTES

119       If  applying  any  specified  option fails, program will not be run and
120       setpriv will return with exit code 127.
121
122       Be careful with this tool -- it may  have  unexpected  security  conse‐
123       quences.   For example, setting no_new_privs and then execing a program
124       that is SELinux-confined (as  this  tool  would  do)  may  prevent  the
125       SELinux restrictions from taking effect.
126

EXAMPLE

128       If you're looking for behaviour similar to su(1)/runuser(1), or sudo(8)
129       (without the -g option), try something like:
130
131           setpriv --reuid=1000 --regid=1000 --init-groups
132
133       If you want to mimic daemontools' setuid(8), try:
134
135           setpriv --reuid=1000 --regid=1000 --clear-groups
136

SEE ALSO

138       runuser(1), su(1), prctl(2), capabilities(7)
139

AUTHOR

141       Andy Lutomirski ⟨luto@amacapital.net⟩
142

AVAILABILITY

144       The setpriv command is part of the util-linux package and is  available
145       from Linux Kernel Archive ⟨https://www.kernel.org/pub/linux/utils/util-
146       linux/⟩.
147
148
149
150util-linux                         July 2014                        SETPRIV(1)
Impressum