1SETPRIV(1) User Commands SETPRIV(1)
2
3
4
6 setpriv - run a program with different Linux privilege settings
7
9 setpriv [options] program [arguments]
10
12 Sets or queries various Linux privilege settings that are inherited
13 across execve(2).
14
15 In comparison to su(1) and runuser(1), setpriv neither uses PAM, nor
16 does it prompt for a password. It is a simple, non-set-user-ID wrapper
17 around execve(2), and can be used to drop privileges in the same way as
18 setuidgid(8) from daemontools, chpst(8) from runit, or similar tools
19 shipped by other service managers.
20
22 --clear-groups
23 Clear supplementary groups.
24
25 -d, --dump
26 Dump the current privilege state. This option can be specified more
27 than once to show extra, mostly useless, information. Incompatible
28 with all other options.
29
30 --groups group...
31 Set supplementary groups. The argument is a comma-separated list of
32 GIDs or names.
33
34 --inh-caps (+|-)cap..., --ambient-caps (+|-)cap..., --bounding-set
35 (+|-)cap...
36 Set the inheritable capabilities, ambient capabilities or the
37 capability bounding set. See capabilities(7). The argument is a
38 comma-separated list of +cap and -cap entries, which add or remove
39 an entry respectively. cap can either be a human-readable name as
40 seen in capabilities(7) without the cap_ prefix or of the format
41 cap_N, where N is the internal capability index used by Linux. +all
42 and -all can be used to add or remove all caps.
43
44 The set of capabilities starts out as the current inheritable set
45 for --inh-caps, the current ambient set for --ambient-caps and the
46 current bounding set for --bounding-set.
47
48 Note the following restrictions (detailed in capabilities(7))
49 regarding modifications to these capability sets:
50
51 • A capability can be added to the inheritable set only if it is
52 currently present in the bounding set.
53
54 • A capability can be added to the ambient set only if it is
55 currently present in both the permitted and inheritable sets.
56
57 • Notwithstanding the syntax offered by setpriv, the kernel does
58 not permit capabilities to be added to the bounding set.
59
60 If you drop a capability from the bounding set without also dropping it
61 from the inheritable set, you are likely to become confused. Do not do
62 that.
63
64 --keep-groups
65 Preserve supplementary groups. Only useful in conjunction with
66 --rgid, --egid, or --regid.
67
68 --init-groups
69 Initialize supplementary groups using initgroups3. Only useful in
70 conjunction with --ruid or --reuid.
71
72 --list-caps
73 List all known capabilities. This option must be specified alone.
74
75 --no-new-privs
76 Set the no_new_privs bit. With this bit set, execve(2) will not
77 grant new privileges. For example, the set-user-ID and set-group-ID
78 bits as well as file capabilities will be disabled. (Executing
79 binaries with these bits set will still work, but they will not
80 gain privileges. Certain LSMs, especially AppArmor, may result in
81 failures to execute certain programs.) This bit is inherited by
82 child processes and cannot be unset. See prctl(2) and
83 Documentation/prctl/no_new_privs.txt in the Linux kernel source.
84
85 The no_new_privs bit is supported since Linux 3.5.
86
87 --rgid gid, --egid gid, --regid gid
88 Set the real, effective, or both GIDs. The gid argument can be
89 given as a textual group name.
90
91 For safety, you must specify one of --clear-groups, --groups,
92 --keep-groups, or --init-groups if you set any primary gid.
93
94 --ruid uid, --euid uid, --reuid uid
95 Set the real, effective, or both UIDs. The uid argument can be
96 given as a textual login name.
97
98 Setting a uid or gid does not change capabilities, although the
99 exec call at the end might change capabilities. This means that, if
100 you are root, you probably want to do something like:
101
102 setpriv --reuid=1000 --regid=1000 --inh-caps=-all
103
104 --securebits (+|-)securebit...
105 Set or clear securebits. The argument is a comma-separated list.
106 The valid securebits are noroot, noroot_locked, no_setuid_fixup,
107 no_setuid_fixup_locked, and keep_caps_locked. keep_caps is cleared
108 by execve(2) and is therefore not allowed.
109
110 --pdeathsig keep|clear|<signal>
111 Keep, clear or set the parent death signal. Some LSMs, most notably
112 SELinux and AppArmor, clear the signal when the process'
113 credentials change. Using --pdeathsig keep will restore the parent
114 death signal after changing credentials to remedy that situation.
115
116 --selinux-label label
117 Request a particular SELinux transition (using a transition on
118 exec, not dyntrans). This will fail and cause setpriv to abort if
119 SELinux is not in use, and the transition may be ignored or cause
120 execve(2) to fail at SELinux’s whim. (In particular, this is
121 unlikely to work in conjunction with no_new_privs.) This is similar
122 to runcon(1).
123
124 --apparmor-profile profile
125 Request a particular AppArmor profile (using a transition on exec).
126 This will fail and cause setpriv to abort if AppArmor is not in
127 use, and the transition may be ignored or cause execve(2) to fail
128 at AppArmor’s whim.
129
130 --reset-env
131 Clears all the environment variables except TERM; initializes the
132 environment variables HOME, SHELL, USER, LOGNAME according to the
133 user’s passwd entry; sets PATH to /usr/local/bin:/bin:/usr/bin for
134 a regular user and to
135 /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin for
136 root.
137
138 The environment variable PATH may be different on systems where
139 /bin and /sbin are merged into /usr. The environment variable SHELL
140 defaults to /bin/sh if none is given in the user’s passwd entry.
141
142 -h, --help
143 Display help text and exit.
144
145 -V, --version
146 Print version and exit.
147
149 If applying any specified option fails, program will not be run and
150 setpriv will return with exit status 127.
151
152 Be careful with this tool — it may have unexpected security
153 consequences. For example, setting no_new_privs and then execing a
154 program that is SELinux-confined (as this tool would do) may prevent
155 the SELinux restrictions from taking effect.
156
158 If you’re looking for behavior similar to su(1)/runuser(1), or sudo(8)
159 (without the -g option), try something like:
160
161 setpriv --reuid=1000 --regid=1000 --init-groups
162
163 If you want to mimic daemontools' setuid(8), try:
164
165 setpriv --reuid=1000 --regid=1000 --clear-groups
166
168 Andy Lutomirski <luto@amacapital.net>
169
171 runuser(1), su(1), prctl(2), capabilities(7)
172
174 For bug reports, use the issue tracker at
175 https://github.com/util-linux/util-linux/issues.
176
178 The setpriv command is part of the util-linux package which can be
179 downloaded from Linux Kernel Archive
180 <https://www.kernel.org/pub/linux/utils/util-linux/>.
181
182
183
184util-linux 2.38 2022-02-17 SETPRIV(1)