397 lines
10 KiB
HTML
397 lines
10 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of CAPSH</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>CAPSH</H1>
|
|
Section: User Commands (1)<BR>Updated: 2020-01-07<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
capsh - capability shell wrapper
|
|
<A NAME="lbAC"> </A>
|
|
<H2>SYNOPSIS</H2>
|
|
|
|
<B>capsh</B>
|
|
|
|
[<I>OPTION</I>]...
|
|
<A NAME="lbAD"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
Linux capability support and use can be explored and constrained with
|
|
this tool. This tool provides a handy wrapper for certain types
|
|
of capability testing and environment creation. It also provides some
|
|
debugging features useful for summarizing capability state.
|
|
<A NAME="lbAE"> </A>
|
|
<H2>OPTIONS</H2>
|
|
|
|
The tool takes a number of optional arguments, acting on them in the
|
|
order they are provided. They are as follows:
|
|
<DL COMPACT>
|
|
<DT id="1"><B>--help</B>
|
|
|
|
<DD>
|
|
Display the list of commands supported by
|
|
<B>capsh</B>.
|
|
|
|
<DT id="2"><B>--print</B>
|
|
|
|
<DD>
|
|
Display prevailing capability and related state.
|
|
<DT id="3"><B>--</B><I> [args]</I>
|
|
|
|
<DD>
|
|
Execute
|
|
<B>/bin/bash</B>
|
|
|
|
with trailing arguments. Note, you can use
|
|
<B>-c 'command to execute'</B>
|
|
|
|
for specific commands.
|
|
<DT id="4"><B>==</B>
|
|
|
|
<DD>
|
|
Execute
|
|
<B>capsh</B>
|
|
|
|
again with remaining arguments. Useful for testing
|
|
<B>exec</B>()
|
|
|
|
behavior.
|
|
<DT id="5"><B>--caps=</B><I>cap-set</I>
|
|
|
|
<DD>
|
|
Set the prevailing process capabilities to those specified by
|
|
<I>cap-set</I>.
|
|
|
|
Where
|
|
<I>cap-set</I>
|
|
|
|
is a text-representation of capability state as per
|
|
<B><A HREF="/cgi-bin/man/man2html?3+cap_from_text">cap_from_text</A></B>(3).
|
|
|
|
<DT id="6"><B>--drop=</B><I>cap-list</I>
|
|
|
|
<DD>
|
|
Remove the listed capabilities from the prevailing bounding set. The
|
|
capabilities are a comma separated list of capabilities as recognized
|
|
by the
|
|
<B><A HREF="/cgi-bin/man/man2html?3+cap_from_name">cap_from_name</A></B>(3)
|
|
|
|
function. Use of this feature requires that the capsh program is
|
|
operating with
|
|
<B>CAP_SETPCAP</B>
|
|
|
|
in its effective set.
|
|
<DT id="7"><B>--inh=</B><I>cap-list</I>
|
|
|
|
<DD>
|
|
Set the inheritable set of capabilities for the current process to
|
|
equal those provided in the comma separated list. For this action to
|
|
succeed, the prevailing process should already have each of these
|
|
capabilities in the union of the current inheritable and permitted
|
|
capability sets, or the capsh program is operating with
|
|
<B>CAP_SETPCAP</B>
|
|
|
|
in its effective set.
|
|
<DT id="8"><B>--user=</B><I>username</I>
|
|
|
|
<DD>
|
|
Assume the identity of the named user. That is, look up the user's
|
|
<I>uid</I> and <I>gid</I>
|
|
|
|
with
|
|
<B><A HREF="/cgi-bin/man/man2html?3+getpwuid">getpwuid</A></B>(3)
|
|
|
|
and their group memberships with
|
|
<B><A HREF="/cgi-bin/man/man2html?3+getgrouplist">getgrouplist</A></B>(3)
|
|
|
|
and set them all using
|
|
<B><A HREF="/cgi-bin/man/man2html?3+cap_setuid">cap_setuid</A></B>(3)
|
|
|
|
and
|
|
<B><A HREF="/cgi-bin/man/man2html?3+cap_setgroups">cap_setgroups</A></B>(3).
|
|
|
|
Following this command, the effective capabilities will be cleared,
|
|
but the permitted set will not be so the running program is still
|
|
privileged.
|
|
<DT id="9"><B>--modes</B>
|
|
|
|
<DD>
|
|
Lists all of the libcap modes supported by
|
|
<B>--mode</B>.
|
|
|
|
<DT id="10"><B>--mode=</B><mode>
|
|
|
|
<DD>
|
|
Force the program into a
|
|
<B><A HREF="/cgi-bin/man/man2html?3+cap_set_mode">cap_set_mode</A></B>(3)
|
|
|
|
security mode. This is a set of securebits and prevailing capability
|
|
arrangement recommended for its pre-determined security stance.
|
|
<DT id="11"><B>--inmode=</B><mode>
|
|
|
|
<DD>
|
|
Confirm that the prevailing mode is so named, or exit with a status 1.
|
|
<DT id="12"><B>--uid=</B><I>id</I>
|
|
|
|
<DD>
|
|
Force all
|
|
<B>uid</B>
|
|
|
|
values to equal
|
|
<I>id</I>
|
|
|
|
using the
|
|
<B><A HREF="/cgi-bin/man/man2html?2+setuid">setuid</A></B>(2)
|
|
|
|
system call. This argument may require explicit preparation of the
|
|
effective set.
|
|
<DT id="13"><B>--cap-uid=</B><uid>
|
|
|
|
<DD>
|
|
use the
|
|
<B><A HREF="/cgi-bin/man/man2html?3+cap_setuid">cap_setuid</A></B>(3)
|
|
|
|
function to set the uid of the current process. This performs all
|
|
prepations for setting the uid without dropping capabilities in the
|
|
process. Following this command the prevailing effective capabilities
|
|
will be lowered.
|
|
<DT id="14"><B>--is-uid=</B><I><id></I>
|
|
|
|
<DD>
|
|
Exit with status 1 unless the current
|
|
<I>uid</I> equals <I><id></I>.
|
|
|
|
<DT id="15"><B>--gid=</B><I><id></I>
|
|
|
|
<DD>
|
|
Force all
|
|
<B>gid</B>
|
|
|
|
values to equal
|
|
<I>id</I>
|
|
|
|
using the
|
|
<B><A HREF="/cgi-bin/man/man2html?2+setgid">setgid</A></B>(2)
|
|
|
|
system call.
|
|
<DT id="16"><B>--is-gid=</B><I><id></I>
|
|
|
|
<DD>
|
|
Exit with status 1 unless the current
|
|
<I>gid</I> equals <I><id></I>.
|
|
|
|
<DT id="17"><B>--groups=</B><I><gid-list></I>
|
|
|
|
<DD>
|
|
Set the supplementary groups to the numerical list provided. The
|
|
groups are set with the
|
|
<B><A HREF="/cgi-bin/man/man2html?2+setgroups">setgroups</A></B>(2)
|
|
|
|
system call. See
|
|
<B>--user</B>
|
|
|
|
for a more convenient way of doing this.
|
|
<DT id="18"><B>--keep=</B><I><0|1></I>
|
|
|
|
<DD>
|
|
In a non-pure capability mode, the kernel provides liberal privilege
|
|
to the super-user. However, it is normally the case that when the
|
|
super-user changes
|
|
<I>uid</I>
|
|
|
|
to some lesser user, then capabilities are dropped. For these
|
|
situations, the kernel can permit the process to retain its
|
|
capabilities after a
|
|
<B><A HREF="/cgi-bin/man/man2html?2+setuid">setuid</A></B>(2)
|
|
|
|
system call. This feature is known as
|
|
<I>keep-caps</I>
|
|
|
|
support. The way to activate it using this program is with this
|
|
argument. Setting the value to 1 will cause
|
|
<I>keep-caps</I>
|
|
|
|
to be active. Setting it to 0 will cause keep-caps to deactivate for
|
|
the current process. In all cases,
|
|
<I>keep-caps</I>
|
|
|
|
is deactivated when an
|
|
<B>exec</B>()
|
|
|
|
is performed. See
|
|
<B>--secbits</B>
|
|
|
|
for ways to disable this feature.
|
|
<DT id="19"><B>--secbits=</B><I>N</I>
|
|
|
|
<DD>
|
|
Set the security-bits for the program, this is via
|
|
<B><A HREF="/cgi-bin/man/man2html?2+prctl">prctl</A></B>(2), <B>PR_SET_SECUREBITS</B>
|
|
|
|
API, and the list of supported bits and their meaning can be found in
|
|
the
|
|
<B><<A HREF="file:///usr/include/sys/secbits.h">sys/secbits.h</A>></B>
|
|
|
|
header file. The program will list these bits via the
|
|
<B>--print</B>
|
|
|
|
command.
|
|
<DT id="20"><B>--chroot=</B><I>path</I>
|
|
|
|
<DD>
|
|
Execute the
|
|
<B><A HREF="/cgi-bin/man/man2html?2+chroot">chroot</A></B>(2)
|
|
|
|
system call with the new root-directory (/) equal to
|
|
<I>path</I>.
|
|
|
|
This operation requires
|
|
<B>CAP_SYS_CHROOT</B>
|
|
|
|
to be in effect.
|
|
<DT id="21"><B>--forkfor=</B><I>sec</I>
|
|
|
|
<DD>
|
|
This command causes the program to fork a child process for so many
|
|
seconds. The child will sleep that long and then exit with status
|
|
0. The purpose of this command is to support exploring the way
|
|
processes are killable in the face of capability changes. See the
|
|
<B>--killit</B>
|
|
|
|
command. Only one fork can be active at a time.
|
|
<DT id="22"><B>--killit=</B><I>sig</I>
|
|
|
|
<DD>
|
|
This commands causes a
|
|
<B>--forkfor</B>
|
|
|
|
child to be
|
|
<B><A HREF="/cgi-bin/man/man2html?2+kill">kill</A></B>(2)d
|
|
|
|
with the specified signal. The command then waits for the child to exit.
|
|
If the exit status does not match the signal being used to kill it, the
|
|
<B>capsh</B>
|
|
|
|
program exits with status 1.
|
|
<DT id="23"><B>--decode=</B><I>N</I>
|
|
|
|
<DD>
|
|
This is a convenience feature. If you look at
|
|
<B>/proc/1/status</B>
|
|
|
|
there are some capability related fields of the following form:
|
|
<P>
|
|
<BR> CapInh:<TT> </TT>0000000000000000<BR>
|
|
<BR> CapPrm:<TT> </TT>ffffffffffffffff<BR>
|
|
<BR> CapEff:<TT> </TT>fffffffffffffeff<BR>
|
|
<BR> CapBnd:<TT> </TT>ffffffffffffffff<BR>
|
|
<P>
|
|
This option provides a quick way to decode a capability vector
|
|
represented in this form. For example, the missing capability from
|
|
this effective set is 0x0100. By running:
|
|
<P>
|
|
<BR> capsh --decode=0x0100
|
|
<P>
|
|
we observe that the missing capability is:
|
|
<B>cap_setpcap</B>.
|
|
|
|
<DT id="24"><B>--supports=</B><I>xxx</I>
|
|
|
|
<DD>
|
|
As the kernel evolves, more capabilities are added. This option can be used
|
|
to verify the existence of a capability on the system. For example,
|
|
<B>--supports=</B><I>cap_syslog</I>
|
|
|
|
will cause capsh to promptly exit with a status of 1 when run on
|
|
kernel 2.6.27. However, when run on kernel 2.6.38 it will silently
|
|
succeed.
|
|
<DT id="25"><B>--has-p=</B><I>xxx</I>
|
|
|
|
<DD>
|
|
Exit with status 1 unless the
|
|
<I>permitted</I>
|
|
|
|
vector has capability
|
|
<B>xxx</B>
|
|
|
|
raised.
|
|
<DT id="26"><B>--has-ambient</B>
|
|
|
|
<DD>
|
|
Performs a check to see if the running kernel supports ambient
|
|
capabilities. If not, the capsh command exits with status 1.
|
|
<DT id="27"><B>--has-a=</B><I>xxx</I>
|
|
|
|
<DD>
|
|
Exit with status 1 unless the
|
|
<I>ambient</I>
|
|
|
|
vector has capability
|
|
<B>xxx</B>
|
|
|
|
raised.
|
|
<DT id="28"><B>--addamb=</B><I>xxx</I>
|
|
|
|
<DD>
|
|
Adds the specificed ambient capability to the running process.
|
|
<DT id="29"><B>--delamb=</B><I>xxx</I>
|
|
|
|
<DD>
|
|
Removes the specified ambient capability from the running process.
|
|
<DT id="30"><B>--noamb</B>
|
|
|
|
<DD>
|
|
Drops all ambient capabilities from the running process.
|
|
<DT id="31"><DD>
|
|
</DL>
|
|
<A NAME="lbAF"> </A>
|
|
<H2>EXIT STATUS</H2>
|
|
|
|
Following successful execution the tool exits with status 0. Following
|
|
an error, the tool immediately exits with status 1.
|
|
<A NAME="lbAG"> </A>
|
|
<H2>AUTHOR</H2>
|
|
|
|
Written by Andrew G. Morgan <<A HREF="mailto:morgan@kernel.org">morgan@kernel.org</A>>.
|
|
<A NAME="lbAH"> </A>
|
|
<H2>REPORTING BUGS</H2>
|
|
|
|
Please report bugs via:
|
|
<DL COMPACT>
|
|
<DT id="32"><A HREF="https://bugzilla.kernel.org/buglist.cgi?component=libcap">https://bugzilla.kernel.org/buglist.cgi?component=libcap</A>&list_id=1047723&product=Tools&resolution=---<DD>
|
|
</DL>
|
|
<A NAME="lbAI"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?3+libcap">libcap</A></B>(3),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+getcap">getcap</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+setcap">setcap</A></B>(8)
|
|
|
|
and
|
|
<B><A HREF="/cgi-bin/man/man2html?7+capabilities">capabilities</A></B>(7).
|
|
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="33"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="34"><A HREF="#lbAC">SYNOPSIS</A><DD>
|
|
<DT id="35"><A HREF="#lbAD">DESCRIPTION</A><DD>
|
|
<DT id="36"><A HREF="#lbAE">OPTIONS</A><DD>
|
|
<DT id="37"><A HREF="#lbAF">EXIT STATUS</A><DD>
|
|
<DT id="38"><A HREF="#lbAG">AUTHOR</A><DD>
|
|
<DT id="39"><A HREF="#lbAH">REPORTING BUGS</A><DD>
|
|
<DT id="40"><A HREF="#lbAI">SEE ALSO</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:05:08 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|