1SETPRIV(1)                       User Commands                      SETPRIV(1)
2
3
4

NAME

6       setpriv - run a program with different Linux privilege settings
7

SYNOPSIS

9       setpriv [options] program [arguments]
10

DESCRIPTION

12       Sets  or  queries  various  Linux privilege settings that are inherited
13       across execve(2).
14
15       In comparison to su(1) and runuser(1), setpriv neither  uses  PAM,  nor
16       does it prompt for a password.  It is a simple, non-set-user-ID wrapper
17       around execve(2), and can be used to drop privileges in the same way as
18       setuidgid(8)  from  daemontools,  chpst(8) from runit, or similar tools
19       shipped by other service managers.
20

OPTIONS

22       --clear-groups
23              Clear supplementary groups.
24
25       -d, --dump
26              Dump the current privilege state.  This option can be  specified
27              more  than  once  to  show  extra,  mostly useless, information.
28              Incompatible with all other options.
29
30       --groups group...
31              Set supplementary groups.  The  argument  is  a  comma-separated
32              list of GIDs or names.
33
34       --inh-caps  (+|-)cap...   or   --ambient-caps (+|-)cap...  or  --bound‐
35       ing-set (+|-)cap...
36              Set the inheritable capabilities, ambient  capabilities  or  the
37              capability  bounding set.  See capabilities(7).  The argument is
38              a comma-separated list of +cap and -cap entries,  which  add  or
39              remove an entry respectively. cap can either be a human-readable
40              name as seen in capabilities(7) without the cap_  prefix  or  of
41              the  format cap_N, where N is the internal capability index used
42              by Linux.  +all and -all can be used to add or remove all caps.
43
44              The set of capabilities starts out as  the  current  inheritable
45              set  for  --inh-caps, the current ambient set for --ambient-caps
46              and the current bounding set for --bounding-set.
47
48              Note the following restrictions  (detailed  in  capabilities(7))
49              regarding modifications to these capability sets:
50
51              * A capability can be added to the inheritable set only if it is
52                currently present in the bounding set.
53
54              * A capability can be added to the ambient set  only  if  it  is
55                currently present in both the permitted and inheritable sets.
56
57              * Notwithstanding the syntax offered by setpriv, the kernel does
58                not permit capabilities to be added to the bounding set.
59
60              If you drop a capability from  the  bounding  set  without  also
61              dropping  it  from the inheritable set, you are likely to become
62              confused.  Do not do that.
63
64       --keep-groups
65              Preserve supplementary groups.  Only useful in conjunction  with
66              --rgid, --egid, or --regid.
67
68       --init-groups
69              Initialize  supplementary groups using initgroups(3).  Only use‐
70              ful in conjunction with --ruid or --reuid.
71
72       --list-caps
73              List all known capabilities.   This  option  must  be  specified
74              alone.
75
76       --no-new-privs
77              Set the no_new_privs bit.  With this bit set, execve(2) will not
78              grant new privileges.  For example,  the  set-user-ID  and  set-
79              group-ID  bits  as  well  as file capabilities will be disabled.
80              (Executing binaries with these bits set  will  still  work,  but
81              they  will not gain privileges.  Certain LSMs, especially AppAr‐
82              mor, may result in failures to execute certain programs.)   This
83              bit  is  inherited  by child processes and cannot be unset.  See
84              prctl(2) and Documentation/prctl/no_new_privs.txt in  the  Linux
85              kernel source.
86
87              The no_new_privs bit is supported since Linux 3.5.
88
89       --rgid gid, --egid gid, --regid gid
90              Set  the real, effective, or both GIDs.  The gid argument can be
91              given as a textual group name.
92
93              For safety, you must specify one  of  --clear-groups,  --groups,
94              --keep-groups, or --init-groups if you set any primary gid.
95
96       --ruid uid, --euid uid, --reuid uid
97              Set  the real, effective, or both UIDs.  The uid argument can be
98              given as a textual login name.
99
100              Setting a uid or gid does not change capabilities, although  the
101              exec  call  at  the  end  might change capabilities.  This means
102              that, if you are root, you probably want to do something like:
103
104                      setpriv --reuid=1000 --regid=1000 --inh-caps=-all
105
106       --securebits (+|-)securebit...
107              Set or clear securebits.   The  argument  is  a  comma-separated
108              list.    The   valid   securebits   are  noroot,  noroot_locked,
109              no_setuid_fixup, no_setuid_fixup_locked,  and  keep_caps_locked.
110              keep_caps is cleared by execve(2) and is therefore not allowed.
111
112       --pdeathsig keep|clear|<signal>
113              Keep,  clear  or  set  the parent death signal.  Some LSMs, most
114              notably SELinux and AppArmor, clear the signal when the process'
115              credentials  change.   Using  --pdeathsig  keep will restore the
116              parent death signal after changing credentials  to  remedy  that
117              situation.
118
119       --selinux-label label
120              Request  a  particular SELinux transition (using a transition on
121              exec, not dyntrans).  This will fail and cause setpriv to  abort
122              if  SELinux  is not in use, and the transition may be ignored or
123              cause execve(2) to fail at SELinux's whim.  (In particular, this
124              is  unlikely to work in conjunction with no_new_privs.)  This is
125              similar to runcon(1).
126
127       --apparmor-profile profile
128              Request a particular AppArmor profile  (using  a  transition  on
129              exec).  This will fail and cause setpriv to abort if AppArmor is
130              not in use, and the transition may be ignored or cause execve(2)
131              to fail at AppArmor's whim.
132
133       --reset-env
134              Clears  all  the  environment variables except TERM; initializes
135              the environment variables HOME, SHELL, USER,  LOGNAME  according
136              to     the     user's     passwd    entry;    sets    PATH    to
137              /usr/local/bin:/bin:/usr/bin  for  a   regular   user   and   to
138              /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin for
139              root.
140
141              The environment variable PATH may be different on systems  where
142              /bin  and  /sbin are merged into /usr.  The environment variable
143              SHELL defaults to /bin/sh if none is given in the user's  passwd
144              entry.
145
146       -V, --version
147              Display version information and exit.
148
149       -h, --help
150              Display help text and exit.
151

NOTES

153       If  applying  any  specified  option fails, program will not be run and
154       setpriv will return with exit status 127.
155
156       Be careful with this tool -- it may  have  unexpected  security  conse‐
157       quences.   For example, setting no_new_privs and then execing a program
158       that is SELinux-confined (as  this  tool  would  do)  may  prevent  the
159       SELinux restrictions from taking effect.
160

EXAMPLES

162       If you're looking for behaviour similar to su(1)/runuser(1), or sudo(8)
163       (without the -g option), try something like:
164
165           setpriv --reuid=1000 --regid=1000 --init-groups
166
167       If you want to mimic daemontools' setuid(8), try:
168
169           setpriv --reuid=1000 --regid=1000 --clear-groups
170

AUTHORS

172       Andy Lutomirski ⟨luto@amacapital.net⟩
173

SEE ALSO

175       runuser(1), su(1), prctl(2), capabilities(7)
176

AVAILABILITY

178       The setpriv command is part of the util-linux package and is  available
179       from Linux Kernel Archive ⟨https://www.kernel.org/pub/linux/utils/util-
180       linux/⟩.
181
182
183
184util-linux                         July 2014                        SETPRIV(1)
Impressum