man-pages/man1/capsh.1.html
2021-03-31 01:06:50 +01:00

397 lines
10 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of CAPSH</TITLE>
</HEAD><BODY>
<H1>CAPSH</H1>
Section: User Commands (1)<BR>Updated: 2020-01-07<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
capsh - capability shell wrapper
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>
<B>capsh</B>
[<I>OPTION</I>]...
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>
Linux capability support and use can be explored and constrained with
this tool. This tool provides a handy wrapper for certain types
of capability testing and environment creation. It also provides some
debugging features useful for summarizing capability state.
<A NAME="lbAE">&nbsp;</A>
<H2>OPTIONS</H2>
The tool takes a number of optional arguments, acting on them in the
order they are provided. They are as follows:
<DL COMPACT>
<DT id="1"><B>--help</B>
<DD>
Display the list of commands supported by
<B>capsh</B>.
<DT id="2"><B>--print</B>
<DD>
Display prevailing capability and related state.
<DT id="3"><B>--</B><I> [args]</I>
<DD>
Execute
<B>/bin/bash</B>
with trailing arguments. Note, you can use
<B>-c 'command to execute'</B>
for specific commands.
<DT id="4"><B>==</B>
<DD>
Execute
<B>capsh</B>
again with remaining arguments. Useful for testing
<B>exec</B>()
behavior.
<DT id="5"><B>--caps=</B><I>cap-set</I>
<DD>
Set the prevailing process capabilities to those specified by
<I>cap-set</I>.
Where
<I>cap-set</I>
is a text-representation of capability state as per
<B><A HREF="/cgi-bin/man/man2html?3+cap_from_text">cap_from_text</A></B>(3).
<DT id="6"><B>--drop=</B><I>cap-list</I>
<DD>
Remove the listed capabilities from the prevailing bounding set. The
capabilities are a comma separated list of capabilities as recognized
by the
<B><A HREF="/cgi-bin/man/man2html?3+cap_from_name">cap_from_name</A></B>(3)
function. Use of this feature requires that the capsh program is
operating with
<B>CAP_SETPCAP</B>
in its effective set.
<DT id="7"><B>--inh=</B><I>cap-list</I>
<DD>
Set the inheritable set of capabilities for the current process to
equal those provided in the comma separated list. For this action to
succeed, the prevailing process should already have each of these
capabilities in the union of the current inheritable and permitted
capability sets, or the capsh program is operating with
<B>CAP_SETPCAP</B>
in its effective set.
<DT id="8"><B>--user=</B><I>username</I>
<DD>
Assume the identity of the named user. That is, look up the user's
<I>uid</I> and <I>gid</I>
with
<B><A HREF="/cgi-bin/man/man2html?3+getpwuid">getpwuid</A></B>(3)
and their group memberships with
<B><A HREF="/cgi-bin/man/man2html?3+getgrouplist">getgrouplist</A></B>(3)
and set them all using
<B><A HREF="/cgi-bin/man/man2html?3+cap_setuid">cap_setuid</A></B>(3)
and
<B><A HREF="/cgi-bin/man/man2html?3+cap_setgroups">cap_setgroups</A></B>(3).
Following this command, the effective capabilities will be cleared,
but the permitted set will not be so the running program is still
privileged.
<DT id="9"><B>--modes</B>
<DD>
Lists all of the libcap modes supported by
<B>--mode</B>.
<DT id="10"><B>--mode=</B>&lt;mode&gt;
<DD>
Force the program into a
<B><A HREF="/cgi-bin/man/man2html?3+cap_set_mode">cap_set_mode</A></B>(3)
security mode. This is a set of securebits and prevailing capability
arrangement recommended for its pre-determined security stance.
<DT id="11"><B>--inmode=</B>&lt;mode&gt;
<DD>
Confirm that the prevailing mode is so named, or exit with a status 1.
<DT id="12"><B>--uid=</B><I>id</I>
<DD>
Force all
<B>uid</B>
values to equal
<I>id</I>
using the
<B><A HREF="/cgi-bin/man/man2html?2+setuid">setuid</A></B>(2)
system call. This argument may require explicit preparation of the
effective set.
<DT id="13"><B>--cap-uid=</B>&lt;uid&gt;
<DD>
use the
<B><A HREF="/cgi-bin/man/man2html?3+cap_setuid">cap_setuid</A></B>(3)
function to set the uid of the current process. This performs all
prepations for setting the uid without dropping capabilities in the
process. Following this command the prevailing effective capabilities
will be lowered.
<DT id="14"><B>--is-uid=</B><I>&lt;id&gt;</I>
<DD>
Exit with status 1 unless the current
<I>uid</I> equals <I>&lt;id&gt;</I>.
<DT id="15"><B>--gid=</B><I>&lt;id&gt;</I>
<DD>
Force all
<B>gid</B>
values to equal
<I>id</I>
using the
<B><A HREF="/cgi-bin/man/man2html?2+setgid">setgid</A></B>(2)
system call.
<DT id="16"><B>--is-gid=</B><I>&lt;id&gt;</I>
<DD>
Exit with status 1 unless the current
<I>gid</I> equals <I>&lt;id&gt;</I>.
<DT id="17"><B>--groups=</B><I>&lt;gid-list&gt;</I>
<DD>
Set the supplementary groups to the numerical list provided. The
groups are set with the
<B><A HREF="/cgi-bin/man/man2html?2+setgroups">setgroups</A></B>(2)
system call. See
<B>--user</B>
for a more convenient way of doing this.
<DT id="18"><B>--keep=</B><I>&lt;0|1&gt;</I>
<DD>
In a non-pure capability mode, the kernel provides liberal privilege
to the super-user. However, it is normally the case that when the
super-user changes
<I>uid</I>
to some lesser user, then capabilities are dropped. For these
situations, the kernel can permit the process to retain its
capabilities after a
<B><A HREF="/cgi-bin/man/man2html?2+setuid">setuid</A></B>(2)
system call. This feature is known as
<I>keep-caps</I>
support. The way to activate it using this program is with this
argument. Setting the value to 1 will cause
<I>keep-caps</I>
to be active. Setting it to 0 will cause keep-caps to deactivate for
the current process. In all cases,
<I>keep-caps</I>
is deactivated when an
<B>exec</B>()
is performed. See
<B>--secbits</B>
for ways to disable this feature.
<DT id="19"><B>--secbits=</B><I>N</I>
<DD>
Set the security-bits for the program, this is via
<B><A HREF="/cgi-bin/man/man2html?2+prctl">prctl</A></B>(2), <B>PR_SET_SECUREBITS</B>
API, and the list of supported bits and their meaning can be found in
the
<B>&lt;<A HREF="file:///usr/include/sys/secbits.h">sys/secbits.h</A>&gt;</B>
header file. The program will list these bits via the
<B>--print</B>
command.
<DT id="20"><B>--chroot=</B><I>path</I>
<DD>
Execute the
<B><A HREF="/cgi-bin/man/man2html?2+chroot">chroot</A></B>(2)
system call with the new root-directory (/) equal to
<I>path</I>.
This operation requires
<B>CAP_SYS_CHROOT</B>
to be in effect.
<DT id="21"><B>--forkfor=</B><I>sec</I>
<DD>
This command causes the program to fork a child process for so many
seconds. The child will sleep that long and then exit with status
0. The purpose of this command is to support exploring the way
processes are killable in the face of capability changes. See the
<B>--killit</B>
command. Only one fork can be active at a time.
<DT id="22"><B>--killit=</B><I>sig</I>
<DD>
This commands causes a
<B>--forkfor</B>
child to be
<B><A HREF="/cgi-bin/man/man2html?2+kill">kill</A></B>(2)d
with the specified signal. The command then waits for the child to exit.
If the exit status does not match the signal being used to kill it, the
<B>capsh</B>
program exits with status 1.
<DT id="23"><B>--decode=</B><I>N</I>
<DD>
This is a convenience feature. If you look at
<B>/proc/1/status</B>
there are some capability related fields of the following form:
<P>
<BR>&nbsp;CapInh:<TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</TT>0000000000000000<BR>
<BR>&nbsp;CapPrm:<TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</TT>ffffffffffffffff<BR>
<BR>&nbsp;CapEff:<TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</TT>fffffffffffffeff<BR>
<BR>&nbsp;CapBnd:<TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</TT>ffffffffffffffff<BR>
<P>
This option provides a quick way to decode a capability vector
represented in this form. For example, the missing capability from
this effective set is 0x0100. By running:
<P>
<BR>&nbsp;capsh&nbsp;--decode=0x0100
<P>
we observe that the missing capability is:
<B>cap_setpcap</B>.
<DT id="24"><B>--supports=</B><I>xxx</I>
<DD>
As the kernel evolves, more capabilities are added. This option can be used
to verify the existence of a capability on the system. For example,
<B>--supports=</B><I>cap_syslog</I>
will cause capsh to promptly exit with a status of 1 when run on
kernel 2.6.27. However, when run on kernel 2.6.38 it will silently
succeed.
<DT id="25"><B>--has-p=</B><I>xxx</I>
<DD>
Exit with status 1 unless the
<I>permitted</I>
vector has capability
<B>xxx</B>
raised.
<DT id="26"><B>--has-ambient</B>
<DD>
Performs a check to see if the running kernel supports ambient
capabilities. If not, the capsh command exits with status 1.
<DT id="27"><B>--has-a=</B><I>xxx</I>
<DD>
Exit with status 1 unless the
<I>ambient</I>
vector has capability
<B>xxx</B>
raised.
<DT id="28"><B>--addamb=</B><I>xxx</I>
<DD>
Adds the specificed ambient capability to the running process.
<DT id="29"><B>--delamb=</B><I>xxx</I>
<DD>
Removes the specified ambient capability from the running process.
<DT id="30"><B>--noamb</B>
<DD>
Drops all ambient capabilities from the running process.
<DT id="31"><DD>
</DL>
<A NAME="lbAF">&nbsp;</A>
<H2>EXIT STATUS</H2>
Following successful execution the tool exits with status 0. Following
an error, the tool immediately exits with status 1.
<A NAME="lbAG">&nbsp;</A>
<H2>AUTHOR</H2>
Written by Andrew G. Morgan &lt;<A HREF="mailto:morgan@kernel.org">morgan@kernel.org</A>&gt;.
<A NAME="lbAH">&nbsp;</A>
<H2>REPORTING BUGS</H2>
Please report bugs via:
<DL COMPACT>
<DT id="32"><A HREF="https://bugzilla.kernel.org/buglist.cgi?component=libcap">https://bugzilla.kernel.org/buglist.cgi?component=libcap</A>&amp;list_id=1047723&amp;product=Tools&amp;resolution=---<DD>
</DL>
<A NAME="lbAI">&nbsp;</A>
<H2>SEE ALSO</H2>
<B><A HREF="/cgi-bin/man/man2html?3+libcap">libcap</A></B>(3),
<B><A HREF="/cgi-bin/man/man2html?8+getcap">getcap</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+setcap">setcap</A></B>(8)
and
<B><A HREF="/cgi-bin/man/man2html?7+capabilities">capabilities</A></B>(7).
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="33"><A HREF="#lbAB">NAME</A><DD>
<DT id="34"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="35"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="36"><A HREF="#lbAE">OPTIONS</A><DD>
<DT id="37"><A HREF="#lbAF">EXIT STATUS</A><DD>
<DT id="38"><A HREF="#lbAG">AUTHOR</A><DD>
<DT id="39"><A HREF="#lbAH">REPORTING BUGS</A><DD>
<DT id="40"><A HREF="#lbAI">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:05:08 GMT, March 31, 2021
</BODY>
</HTML>