setpriv(1)

1SETPRIV(1)                       User Commands                      SETPRIV(1)
2
3
4

NAME

6       setpriv - run a program with different Linux privilege settings
7

SYNOPSIS

9       setpriv [options] program [arguments]
10

DESCRIPTION

12       Sets  or  queries  various  Linux privilege settings that are inherited
13       across execve(2).
14
15       In comparison to su(1) and runuser(1), setpriv neither  uses  PAM,  nor
16       does it prompt for a password.  It is a simple, non-set-user-ID wrapper
17       around execve(2), and can be used to drop privileges in the same way as
18       setuidgid(8)  from  daemontools,  chpst(8) from runit, or similar tools
19       shipped by other service managers.
20

OPTIONS

22       --clear-groups
23              Clear supplementary groups.
24
25       -d, --dump
26              Dump the current privilege state.  This option can be  specified
27              more  than  once  to  show  extra,  mostly useless, information.
28              Incompatible with all other options.
29
30       --groups group...
31              Set supplementary groups.  The  argument  is  a  comma-separated
32              list of GIDs or names.
33
34       --inh-caps  (+|-)cap...   or   --ambient-caps (+|-)cap...  or  --bound‐
35       ing-set (+|-)cap...
36              Set the inheritable capabilities, ambient  capabilities  or  the
37              capability  bounding set.  See capabilities(7).  The argument is
38              a comma-separated list of +cap and -cap entries,  which  add  or
39              remove an entry respectively. cap can either be a human-readable
40              name as seen in capabilities(7) without the cap_  prefix  or  of
41              the  format cap_N, where N is the internal capability index used
42              by Linux.  +all and -all can be used to add or remove all caps.
43
44              The set of capabilities starts out as  the  current  inheritable
45              set  for  --inh-caps, the current ambient set for --ambient-caps
46              and the current bounding set for --bounding-set.
47
48              Note the following restrictions  (detailed  in  capabilities(7))
49              regarding modifications to these capability sets:
50
51              * A capability can be added to the inheritable set only if it is
52                currently present in the bounding set.
53
54              * A capability can be added to the ambient set  only  if  it  is
55                currently present in both the permitted and inheritable sets.
56
57              * Notwithstanding the syntax offered by setpriv, the kernel does
58                not permit capabilities to be added to the bounding set.
59
60              If you drop a capability from  the  bounding  set  without  also
61              dropping  it  from the inheritable set, you are likely to become
62              confused.  Do not do that.
63
64       --keep-groups
65              Preserve supplementary groups.  Only useful in conjunction  with
66              --rgid, --egid, or --regid.
67
68       --init-groups
69              Initialize  supplementary groups using initgroups(3).  Only use‐
70              ful in conjunction with --ruid or --reuid.
71
72       --list-caps
73              List all known capabilities.   This  option  must  be  specified