setpriv
是 Linux 系统中,用来为运行程序设置不同权限工具
介绍
setpriv
通过修改进程的权限设置(如用户 ID、组 ID、能力集),调整后续通过 execve
系统调用执行的程序的权限
- 特点
- 无 PAM 和密码提示
- 能力集管理
- GID 和 UID 管理
- SELinux 支持
- 类似的实现
help
$ setpriv --help
Usage:
setpriv [options] <program> [<argument>...]
Run a program with different privilege settings.
Options:
-d, --dump show current state (and do not exec)
--nnp, --no-new-privs disallow granting new privileges
--ambient-caps <caps,...> set ambient capabilities
--inh-caps <caps,...> set inheritable capabilities
--bounding-set <caps> set capability bounding set
--ruid <uid|user> set real uid
--euid <uid|user> set effective uid
--rgid <gid|user> set real gid
--egid <gid|group> set effective gid
--reuid <uid|user> set real and effective uid
--regid <gid|group> set real and effective gid
--clear-groups clear supplementary groups
--keep-groups keep supplementary groups
--init-groups initialize supplementary groups
--groups <group,...> set supplementary groups by UID or name
--securebits <bits> set securebits
--pdeathsig keep|clear|<signame>
set or clear parent death signal
--selinux-label <label> set SELinux label
--apparmor-profile <pr> set AppArmor profile
--reset-env clear all environment and initialize
HOME, SHELL, USER, LOGNAME and PATH
-h, --help display this help
-V, --version display version
This tool can be dangerous. Read the manpage, and be careful.
For more details see setpriv(1).
使用
# 以用户 ID 1000 和组 ID 1000 的身份运行命令,并移除所有继承能力
setpriv --reuid=1000 --regid=1000 --inh-caps=-all <command>
# 以用户 ID 1000 和组 ID 1000 的身份运行命令,并initialize supplementary groups
setpriv --reuid=1000 --regid=1000 --init-groups <command>
# 以用户 ID 1000 和组 ID 1000 的身份运行命令,并清除辅助组
setpriv --reuid=1000 --regid=1000 --clear-groups <command>
# 以 httpd_t SELinux 类型运行命令
setpriv --selinux-label system_u:system_r:httpd_t:s0 <command>