1SETPRIV(1)                       User Commands                      SETPRIV(1)
2
3
4

NAME

6       setpriv - run a program with different Linux privilege settings
7

SYNOPSIS

9       setpriv [options] program [arguments]
10

DESCRIPTION

12       Sets  or  queries  various  Linux privilege settings that are inherited
13       across execve(2).
14
15       In comparison to su(1) and runuser(1), setpriv(1) neither uses PAM, nor
16       does it prompt for a password.  It is a simple, non-set-user-ID wrapper
17       around execve(2), and can be used to drop privileges in the same way as
18       setuidgid(8)  from  daemontools,  chpst(8) from runit, or similar tools
19       shipped by other service managers.
20

OPTION

22       --clear-groups
23              Clear supplementary groups.
24
25       -d, --dump
26              Dump current privilege state.  Can be specified more  than  once
27              to  show  extra, mostly useless, information.  Incompatible with
28              all other options.
29
30       --groups group...
31              Set supplementary groups.  The  argument  is  a  comma-separated
32              list of GIDs or names.
33
34       --inh-caps  (+|-)cap...   or   --ambient-caps (+|-)cap...  or  --bound‐
35       ing-set (+|-)cap...
36              Set the inheritable capabilities, ambient  capabilities  or  the
37              capability  bounding set.  See capabilities(7).  The argument is
38              a comma-separated list of +cap and -cap entries,  which  add  or
39              remove an entry respectively. cap can either be a human-readable
40              name as seen in capabilities(7) without the cap_  prefix  or  of
41              the  format cap_N, where N is the internal capability index used
42              by Linux.  +all and -all can be used to add or remove all  caps.
43              The  set  of  capabilities starts out as the current inheritable
44              set for --inh-caps, the current ambient set  for  --ambient-caps
45              and  the  current  bounding set for --bounding-set.  If you drop
46              something from the bounding set without also  dropping  it  from
47              the  inheritable set, you are likely to become confused.  Do not
48              do that.
49
50       --keep-groups
51              Preserve supplementary groups.  Only useful in conjunction  with
52              --rgid, --egid, or --regid.
53
54       --init-groups
55              Initialize  supplementary groups using initgroups(3).  Only use‐
56              ful in conjunction with --ruid or --reuid.
57
58       --list-caps
59              List all known capabilities.   This  option  must  be  specified
60              alone.
61
62       --no-new-privs
63              Set the no_new_privs bit.  With this bit set, execve(2) will not
64              grant new privileges.  For example,  the  set-user-ID  and  set-
65              group-ID  bits  as  well  as file capabilities will be disabled.
66              (Executing binaries with these bits set  will  still  work,  but
67              they  will not gain privileges.  Certain LSMs, especially AppAr‐
68              mor, may result in failures to execute certain programs.)   This
69              bit  is  inherited  by child processes and cannot be unset.  See
70              prctl(2) and Documentation/prctl/no_new_privs.txt in  the  Linux
71              kernel source.
72
73              The no_new_privs bit is supported since Linux 3.5.
74
75       --rgid gid, --egid gid, --regid gid
76              Set  the real, effective, or both GIDs.  The gid argument can be
77              given as textual group name.
78
79              For safety, you must specify one  of  --clear-groups,  --groups,
80              --keep-groups, or --init-groups if you set any primary gid.
81
82       --ruid uid, --euid uid, --reuid uid
83              Set  the real, effective, or both UIDs.  The uid argument can be
84              given as textual login name.
85
86              Setting a uid or gid does not change capabilities, although  the
87              exec  call  at  the  end  might change capabilities.  This means
88              that, if you are root, you probably want to do something like:
89
90                      setpriv --reuid=1000 --regid=1000 --inh-caps=-all
91
92       --securebits (+|-)securebit...
93              Set or clear securebits.   The  argument  is  a  comma-separated
94              list.    The   valid   securebits   are  noroot,  noroot_locked,
95              no_setuid_fixup, no_setuid_fixup_locked,  and  keep_caps_locked.
96              keep_caps is cleared by execve(2) and is therefore not allowed.
97
98       --pdeathsig keep|clear|<signal>
99              Keep,  clear  or  set  the parent death signal.  Some LSMs, most
100              notably SELinux and AppArmor, clear the signal when the process'
101              credentials  change.   Using  --pdeathsig  keep will restore the
102              parent death signal after changing credentials  to  remedy  that
103              situation.
104
105       --selinux-label label
106              Request  a  particular SELinux transition (using a transition on
107              exec, not dyntrans).  This will fail  and  cause  setpriv(1)  to
108              abort  if  SELinux  is  not  in  use,  and the transition may be
109              ignored or cause execve(2) to fail at SELinux's whim.  (In  par‐
110              ticular,   this   is   unlikely  to  work  in  conjunction  with
111              no_new_privs.)  This is similar to runcon(1).
112
113       --apparmor-profile profile
114              Request a particular AppArmor profile  (using  a  transition  on
115              exec).  This will fail and cause setpriv(1) to abort if AppArmor
116              is not in use, and  the  transition  may  be  ignored  or  cause
117              execve(2) to fail at AppArmor's whim.
118
119       --reset-env
120              Clears  all  the  environment variables except TERM; initializes
121              the environment variables HOME, SHELL, USER,  LOGNAME  according
122              to     the     user's     passwd    entry;    sets    PATH    to
123              /usr/local/bin:/bin:/usr/bin  for   a   regual   user   and   to
124              /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin for
125              root.
126
127              The environment variable PATH may be different on systems  where
128              /bin  and  /sbin are merged into /usr.  The environment variable
129              SHELL defaults to /bin/sh if none is given in the user's  passwd
130              entry.
131
132       -V, --version
133              Display version information and exit.
134
135       -h, --help
136              Display help text and exit.
137

NOTES

139       If  applying  any  specified  option fails, program will not be run and
140       setpriv will return with exit code 127.
141
142       Be careful with this tool -- it may  have  unexpected  security  conse‐
143       quences.   For example, setting no_new_privs and then execing a program
144       that is SELinux-confined (as  this  tool  would  do)  may  prevent  the
145       SELinux restrictions from taking effect.
146

EXAMPLE

148       If you're looking for behaviour similar to su(1)/runuser(1), or sudo(8)
149       (without the -g option), try something like:
150
151           setpriv --reuid=1000 --regid=1000 --init-groups
152
153       If you want to mimic daemontools' setuid(8), try:
154
155           setpriv --reuid=1000 --regid=1000 --clear-groups
156

SEE ALSO

158       runuser(1), su(1), prctl(2), capabilities(7)
159

AUTHOR

161       Andy Lutomirski ⟨luto@amacapital.net⟩
162

AVAILABILITY

164       The setpriv command is part of the util-linux package and is  available
165       from Linux Kernel Archive ⟨https://www.kernel.org/pub/linux/utils/util-
166       linux/⟩.
167
168
169
170util-linux                         July 2014                        SETPRIV(1)
Impressum