Introduction to the linux setpriv Command

One-day Tour in Changsha

Introduction to the linux setpriv Command

1. What is setpriv

https://man.he.net/man1/setpriv

setpriv – Run a program with different Linux permissions

Set or query various Linux permission settings that can be inherited across execve(2) system calls. Unlike su(1) and runuser(1), setpriv(1) does not use PAM (Pluggable Authentication Modules) and does not prompt for a password. It is a simple execve(2) wrapper that does not set the user ID, and can be used to lower privileges like setuidgid(8) in daemontools, chpst(8) in runit, or similar tools provided by other service managers.

2. Parameters

<span><span>Running this tool is risky. Please read the man page and proceed with caution.</span></span>

[root@localhost ~]# setpriv -h
Usage: setpriv [options] <program> [<parameters>...]
Run a program with different permission settings.
Options: -d, --dump Show current status (and do not execute the program) --nnp, --no-new-privs Prevent granting new privileges --ambient-caps <caps,...> Set ambient capabilities --inh-caps <caps,...> Set inheritable capabilities --bounding-set Set capability bounding set --ruid <uid|user> Set real user ID --euid <uid|user> Set effective user ID --rgid <gid|user> Set real group ID --egid <gid|group> Set effective group ID --reuid <uid|user> Set real and effective user ID --regid <gid|group> Set real and effective group ID --clear-groups Clear supplementary groups --keep-groups Keep supplementary groups --init-groups Initialize supplementary groups --groups <group,...> Set supplementary groups by user ID or name --securebits Set secure bits --pdeathsig keep|clear|Set or clear parent death signal --selinux-label Set SELinux label --apparmor-profile Set AppArmor profile --reset-env Clear all environment variables and initialize HOME, SHELL, USER, LOGNAME, and PATH -h, --help Show this help -V, --version Show version
Running this tool is risky. Please read the man page and proceed with caution.
For more information, see setpriv(1).

3. Examples

Only display the current permission status (do not execute the program)

[root@localhost ~]# setpriv --dump
uid: 0
euid: 0
gid: 0
egid: 0
Supplementary groups: 0
no_new_privs: 0
Inheritable capabilities: [none]
Ambient capabilities: [none]
Capability bounding set: chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
Securebits: [none]
Parent death signal: [none]

Output Explanation

1. User and Group Information

uid (Real User ID): The real user ID of the process (0 indicates the root user).
euid (Effective User ID): The effective user ID of the process (determines file access permissions, 0 indicates root privileges).
gid (Real Group ID): The real group ID of the process (0 indicates the root group).
egid (Effective Group ID): The effective group ID of the process (determines file access permissions, 0 indicates the root group).
Supplementary groups: The list of supplementary groups the process belongs to (only 0, which is the root group).

2. Privilege Escalation Restrictions no_new_privs: 0

no_new_privs: 0: Allows the process to escalate privileges through execve() or setuid (default behavior).
1: Prevents privilege escalation (set by the --no-new-privs option).
If it is 0, the process may obtain higher privileges by executing other programs or setuid binaries, which poses a risk. It is recommended to enable --no-new-privs for critical services (such as containers, network services).

3. Process Capabilities

Inheritable capabilities: Inheritable capabilities: The set of capabilities that can be passed to child processes. Here it is empty, indicating that the process will not pass any capabilities to child processes.
Ambient capabilities: Ambient capabilities: [none]

4. Ambient capabilities: Global capabilities that can be used even if the effective user ID of the process is not root.

Here it is empty, indicating no ambient capabilities. Capability bounding set

Capability bounding set: chown,dac_override,dac_read_search,… (full list below)

Bounding Set: The maximum set of capabilities that the process and its child processes may have (even if executing other programs via execve()). This is a security boundary to prevent the process from inadvertently or maliciously acquiring excessive capabilities. Key capability explanations: dac_override: Bypass file read/write permission checks (similar to root's chmod/chown). net_bind_service: Bind to privileged ports (<1024). sys_admin: Perform system administration operations (such as mounting filesystems, modifying kernel parameters). sys_time: Modify system time (which may affect log timestamps).

5. Securebits

Securebits: [none] Securebits: Flags that control the permission behavior of the process (such as keep-caps, no-setuid-fixup). Here it shows as [none], indicating no special flags are set (default behavior). Common securebits: keep-caps: Retain inherited capabilities even if euid changes. no-setuid-fixup: Prevent automatic clearing of capabilities when euid changes.

2. Keep the current group list (<span>--keep-groups</span>)

  • Function: After switching users, keep the current process’s group list (do not modify supplementary groups).
  • Applicable Scenarios: When it is necessary to retain original group permissions (e.g., the supplementary group for user <span>1000</span> is correctly set).
[root@localhost opt]# setpriv --reuid=1000 --regid=1000 --keep-groups /usr/bin/bash
/usr/bin/id: Cannot find group with ID 1000
/usr/bin/id: Cannot find name for user with ID 1000
whoami: Cannot find name for user with ID 1000

3. Run a program with switched user identity, here running an empty script

[root@localhost opt]# setpriv --reuid=1000 --regid=1000 --keep-groups /usr/bin/bash /opt/5.sh

4. Start a program while preventing the granting of new privileges

setpriv --nnp --dump /bin/bash

Function: Prevent the program from escalating privileges during execution via execve() or setuid using –nnp (–no-new-privs), commonly used for security hardening.

Typical Scenario: Limit the privilege escalation capabilities of containers or service processes.

5. Clear supplementary groups and start a program

[root@localhost opt]# setpriv --clear-groups --reuid=1000  /bin/ls /root
Public  Templates  Videos  Pictures  Documents  Downloads  Music  Desktop  anaconda-ks.cfg  initial-setup-ks.cfg

4. Supplement

Notes:

If any specified option fails to execute, the program will not run, and setpriv will return exit code 127. Use this tool with caution: it may lead to unexpected security consequences.

For example: If no_new_privs is set before executing a program restricted by SELinux (as is the default behavior of setpriv), it may cause SELinux restrictions to fail.

Group management options:

--init-groups: Most commonly used, loads the default groups for the target user.
--clear-groups: Strict isolation, only retains the primary group.

Must explicitly specify group policies (otherwise an error will occur).

Exit Code:

127 indicates that the option execution failed, and the program did not start.

Related Commands:

runuser(1): Directly switch user identity to run commands.

su(1): The classic user switching tool.

prctl(2): Linux system call for process control.

capabilities(7): Documentation on the Linux capabilities mechanism.

Author and Source

Author: Andy Lutomirski [email protected]
Availability: setpriv is part of the util-linux package, available from the Linux kernel archives.

5. Summary

Incorrect usage may lead to privilege escalation or failure of security policies (such as SELinux). It is recommended to prioritize using su/sudo unless explicit low-level control with setpriv is required.

Last but not least, feel free to communicate:
Follow the public account to leave a message, or leave a message directly below:

Leave a Comment