1CAPSH(1)                         User Commands                        CAPSH(1)
2
3
4

NAME

6       capsh - capability shell wrapper
7

SYNOPSIS

9       capsh [OPTION]...
10

DESCRIPTION

12       Linux  capability  support and use can be explored and constrained with
13       this tool. This tool provides a handy  wrapper  for  certain  types  of
14       capability  testing  and  environment  creation.  It also provides some
15       debugging features useful for summarizing capability state.
16

OPTIONS

18       The tool takes a number of optional arguments, acting on  them  in  the
19       order they are provided. They are as follows:
20
21       --print               Display prevailing capability and related state.
22
23       -- [args]             Execute  /bin/bash with trailing arguments. Note,
24                             you can use -c 'command to execute' for  specific
25                             commands.
26
27       ==                    Execute  capsh  again  with  remaining arguments.
28                             Useful for testing exec() behavior.
29
30       --caps=cap-set        Set the prevailing process capabilities to  those
31                             specified  by  cap-set.  Where cap-set is a text-
32                             representation  of  capability   state   as   per
33                             cap_from_text(3).
34
35       --drop=cap-list       Remove  the listed capabilities from the prevail‐
36                             ing bounding set. The  capabilites  are  a  comma
37                             separated  list  of capabilities as recognized by
38                             the cap_from_name(3) function. Use of  this  fea‐
39                             ture requires that the capsh program is operating
40                             with CAP_SETPCAP in its effective set.
41
42       --inh=cap-list        Set the inheritable set of capabilities  for  the
43                             current  process  to  equal those provided in the
44                             comma separated list. For this action to succeed,
45                             the  prevailing  process should already have each
46                             of these capabilities in the union of the current
47                             inheritable and permitted capability sets, or the
48                             capsh program is operating  with  CAP_SETPCAP  in
49                             its effective set.
50
51       --user=username       Assume  the  identity of the named user. That is,
52                             look up the user's uid and gid  with  getpwuid(3)
53                             and  their group memberships with getgrouplist(3)
54                             and set them all.
55
56       --uid=id              Force all  uid  values  to  equal  id  using  the
57                             setuid(2) system call.
58
59       --gid=<id>            Force  all  gid values to equal id using the set‐
60                             gid(2) system call.
61
62       --groups=<id-list>    Set the supplementary  groups  to  the  numerical
63                             list  provided.  The groups are set with the set‐
64                             groups(2) system call.
65
66       --keep=<0|1>          In a non-pure capability mode,  the  kernel  pro‐
67                             vides  liberal  privilege to the super-user. How‐
68                             ever, it is  normally  the  case  that  when  the
69                             super-user  changes uid to some lesser user, then
70                             capabilities are dropped. For  these  situations,
71                             the  kernel  can permit the process to retain its
72                             capabilities after a setuid(2) system call.  This
73                             feature is known as keep-caps support. The way to
74                             activate it using this script is with this  argu‐
75                             ment. Setting the value to 1 will cause keep-caps
76                             to be active. Setting it to 0  will  cause  keep-
77                             caps  to  deactivate  for the current process. In
78                             all  cases,  keep-caps  is  deactivated  when  an
79                             exec()  is  performed.  See --secbits for ways to
80                             disable this feature.
81
82       --secbits=N           XXX - need to document this feature.
83
84       --chroot=path         Execute the chroot(2) system call  with  the  new
85                             root-directory (/) equal to path.  This operation
86                             requires CAP_SYS_CHROOT to be in effect.
87
88       --forkfor=sec
89
90       --killit=sig
91
92       --decode=N            This is a convenience feature.  If  you  look  at
93                             /proc/1/status  there are some capability related
94                             fields of the following form:
95
96                              CapInh:  0000000000000000
97                              CapPrm:  ffffffffffffffff
98                              CapEff:  fffffffffffffeff
99                              CapBnd:  ffffffffffffffff
100
101                             This option provides a  quick  way  to  decode  a
102                             capability  vector  represented in this form. For
103                             example, the missing capability from this  effec‐
104                             tive set is 0x0100. By running:
105
106                              capsh --decode=0x0100
107
108                             we   observe  that  the  missing  capability  is:
109                             cap_setpcap.
110
111       --supports=xxx        As the  kernel  evolves,  more  capabilities  are
112                             added.  This  option  can  be  used to verify the
113                             existence of a  capability  on  the  system.  For
114                             example,  --supports=cap_syslog  will cause capsh
115                             to promptly exit with a status of 1 when  run  on
116                             kernel  2.6.27.   However,  when  run  on  kernel
117                             2.6.38 it will silently succeed.
118
119
120       EXIT STATUS
121              Following successful execution the tool  exits  with  status  0.
122              Following an error, the tool immediately exits with status 1.
123

AUTHOR

125       Written by Andrew G. Morgan <morgan@kernel.org>.
126

REPORTING BUGS

128       Please report bugs to the author.
129

SEE ALSO

131       libcap(3), getcap(8),setcap(8) and capabilities(7).
132
133
134
135libcap 2                          2011-04-24                          CAPSH(1)
Impressum