LinuxGuruz
  • Last 5 Forum Topics
    Replies
    Views
    Last post


The Web Only This Site
  • BOOKMARK

  • ADD TO FAVORITES

  • REFERENCES


  • MARC

    Mailing list ARChives
    - Search by -
     Subjects
     Authors
     Bodies





    FOLDOC

    Computing Dictionary




  • Text Link Ads






  • LINUX man pages
  • Linux Man Page Viewer


    The following form allows you to view linux man pages.

    Command:

    setpriv

    
    
    

    SYNOPSIS

           setpriv [options] program [arguments]
    
    
    

    DESCRIPTION

           Sets  or  queries  various  Linux privilege settings that are inherited
           across execve(2).
    
    
    

    OPTION

           -d, --dump
                  Dumps current privilege state.  Specify more than once  to  show
                  extra, mostly useless, information.  Incompatible with all other
                  options.
    
           --no-new-privs
                  Sets the no_new_privs bit.  With this bit  set,  execve(2)  will
                  not  grant  new  privileges.  For example, the setuid and setgid
                  bits as well as file capabilities will be disabled.   (Executing
                  binaries  with these bits set will still work, but they will not
                  gain privilege.  Certain LSMs, especially AppArmor,  may  result
                  in  failures to execute certain programs.) This bit is inherited
                  by child processes and cannot be unset.  See prctl(2) and  Docu-
                  mentation/prctl/no_new_privs.txt in the Linux kernel source.
    
                  The no_new_privs bit is supported since Linux 3.5.
    
           --inh-caps (+|-)cap,... or --bounding-set (+|-)cap,...
                  Sets  inheritable  capabilities or capability bounding set.  See
                  capabilities(7).  The argument is a comma-separated list of +cap
                  and  -cap  entries,  which  add or remove an entry respectively.
                  +all and -all can be used to add or remove all caps.  The set of
                  capabilities  starts  out  as the current inheritable set for --
                  inh-caps and the current bounding set  for  --bounding-set.   If
                  you  drop  something from the bounding set without also dropping
                  it from the inheritable set, you are likely to become  confused.
                  Do not do that.
    
           --list-caps
                  Lists all known capabilities.  Must be specified alone.
    
           --ruid uid, --euid uid, --reuid uid
                  Sets the real, effective, or both uids.  The uid argument can be
                  given as textual login name.
    
                  Setting uid or gid does not change  capabilities,  although  the
                  exec  call  at  the  end  might change capabilities.  This means
                  that, if you are root, you probably want to do something like:
    
                  --reuid=1000 --regid=1000 --caps=-all
    
           --rgid gid, --egid gid, --regid gid
                  Sets the real, effective, or both gids.  The gid argument can be
                  given as textual group name.
    
           --securebits (+|-)securebit,...
                  Sets  or  clears  securebits.   The valid securebits are noroot,
                  noroot_locked,  no_setuid_fixup,   no_setuid_fixup_locked,   and
                  keep_caps_locked.   keep_caps  is  cleared  by  execve(2) and is
                  therefore not allowed.
    
           --selinux-label label
                  Requests a particular SELinux transition (using a transition  on
                  exec,  not  dyntrans).   This  will fail and cause setpriv(1) to
                  abort if SELinux is not  in  use,  and  the  transition  may  be
                  ignored  or cause execve(2) to fail at SELinux's whim.  (In par-
                  ticular, this is unlikely to work in  conjunction  with  no_new_
                  privs.)  This is similar to runcon(1).
    
           --apparmor-profile profile
                  Requests  a  particular  AppArmor profile (using a transition on
                  exec).  This will fail and cause setpriv(1) to abort if AppArmor
                  is  not  in  use,  and  the  transition  may be ignored or cause
                  execve(2) to fail at AppArmor's whim.
    
           -V, --version
                  Display version information and exit.
    
           -h, --help
                  Display help text and exit.
    
    
    

    NOTES

           If applying any specified option fails, program will  not  be  run  and
           setpriv will return with exit code 127.
    
           Be  careful  with  this  tool -- it may have unexpected security conse-
           quences.  For example, setting no_new_privs and then execing a  program
           that  is  SELinux-confined  (as  this  tool  would  do) may prevent the
           SELinux restrictions from taking effect.
    
    
    

    SEE ALSO

           prctl(2), capability(7)
    
    
    

    AUTHOR

           Andy Lutomirski
    
    
    

    AVAILABILITY

           The setpriv command is part of the util-linux package and is  available
           from Linux Kernel Archive
    
    
    

    util-linux January 2013 SETPRIV(1)

    
    
  • MORE RESOURCE


  • Linux

    The Distributions





    Linux

    The Software





    Linux

    The News



  • MARKETING






  • Toll Free

webmaster@linuxguruz.com
Copyright © 1999 - 2016 by LinuxGuruz