173 lines
4.5 KiB
Groff
173 lines
4.5 KiB
Groff
.\"
|
|
.\" capsh.1 Man page added 2009-12-23 Andrew G. Morgan <morgan@kernel.org>
|
|
.\"
|
|
.TH CAPSH 1 "2011-04-24" "libcap 2" "User Commands"
|
|
.SH NAME
|
|
capsh \- capability shell wrapper
|
|
.SH SYNOPSIS
|
|
.B capsh
|
|
[\fIOPTION\fR]...
|
|
.SH DESCRIPTION
|
|
Linux capability support and use can be explored and constrained with
|
|
this tool. This tool provides a handy wrapper for certain types
|
|
of capability testing and environment creation. It also provides some
|
|
debugging features useful for summarizing capability state.
|
|
.SH OPTIONS
|
|
The tool takes a number of optional arguments, acting on them in the
|
|
order they are provided. They are as follows:
|
|
.TP 22
|
|
.B --print
|
|
Display prevailing capability and related state.
|
|
.TP
|
|
.BI -- " [args]"
|
|
Execute
|
|
.B /bin/bash
|
|
with trailing arguments. Note, you can use
|
|
.B -c 'command to execute'
|
|
for specific commands.
|
|
.TP
|
|
.B ==
|
|
Execute
|
|
.B capsh
|
|
again with remaining arguments. Useful for testing
|
|
.BR exec ()
|
|
behavior.
|
|
.TP
|
|
.BI --caps= cap-set
|
|
Set the prevailing process capabilities to those specified by
|
|
.IR cap-set .
|
|
Where
|
|
.I cap-set
|
|
is a text-representation of capability state as per
|
|
.BR cap_from_text (3).
|
|
.TP
|
|
.BI --drop= cap-list
|
|
Remove the listed capabilities from the prevailing bounding set. The
|
|
capabilites are a comma separated list of capabilities as recognized
|
|
by the
|
|
.BR cap_from_name (3)
|
|
function. Use of this feature requires that the capsh program is
|
|
operating with
|
|
.B CAP_SETPCAP
|
|
in its effective set.
|
|
.TP
|
|
.BI --inh= cap-list
|
|
Set the inheritable set of capabilities for the current process to
|
|
equal those provided in the comma separated list. For this action to
|
|
succeed, the prevailing process should already have each of these
|
|
capabilities in the union of the current inheritable and permitted
|
|
capability sets, or the capsh program is operating with
|
|
.B CAP_SETPCAP
|
|
in its effective set.
|
|
.TP
|
|
.BI --user= username
|
|
Assume the identity of the named user. That is, look up the user's
|
|
.IR uid " and " gid
|
|
with
|
|
.BR getpwuid (3)
|
|
and their group memberships with
|
|
.BR getgrouplist (3)
|
|
and set them all.
|
|
.TP
|
|
.BI --uid= id
|
|
Force all
|
|
.B uid
|
|
values to equal
|
|
.I id
|
|
using the
|
|
.BR setuid (2)
|
|
system call.
|
|
.TP
|
|
.BI --gid= <id>
|
|
Force all
|
|
.B gid
|
|
values to equal
|
|
.I id
|
|
using the
|
|
.BR setgid (2)
|
|
system call.
|
|
.TP
|
|
.BI --groups= <id-list>
|
|
Set the supplementary groups to the numerical list provided. The
|
|
groups are set with the
|
|
.BR setgroups (2)
|
|
system call.
|
|
.TP
|
|
.BI --keep= <0|1>
|
|
In a non-pure capability mode, the kernel provides liberal privilege
|
|
to the super-user. However, it is normally the case that when the
|
|
super-user changes
|
|
.I uid
|
|
to some lesser user, then capabilities are dropped. For these
|
|
situations, the kernel can permit the process to retain its
|
|
capabilities after a
|
|
.BR setuid (2)
|
|
system call. This feature is known as
|
|
.I keep-caps
|
|
support. The way to activate it using this script is with this
|
|
argument. Setting the value to 1 will cause
|
|
.I keep-caps
|
|
to be active. Setting it to 0 will cause keep-caps to deactivate for
|
|
the current process. In all cases,
|
|
.I keep-caps
|
|
is deactivated when an
|
|
.BR exec ()
|
|
is performed. See
|
|
.B --secbits
|
|
for ways to disable this feature.
|
|
.TP
|
|
.BI --secbits= N
|
|
XXX - need to document this feature.
|
|
.TP
|
|
.BI --chroot= path
|
|
Execute the
|
|
.BR chroot (2)
|
|
system call with the new root-directory (/) equal to
|
|
.IR path .
|
|
This operation requires
|
|
.B CAP_SYS_CHROOT
|
|
to be in effect.
|
|
.TP
|
|
.BI --forkfor= sec
|
|
.TP
|
|
.BI --killit= sig
|
|
.TP
|
|
.BI --decode= N
|
|
This is a convenience feature. If you look at
|
|
.B /proc/1/status
|
|
there are some capability related fields of the following form:
|
|
|
|
CapInh: 0000000000000000
|
|
CapPrm: ffffffffffffffff
|
|
CapEff: fffffffffffffeff
|
|
CapBnd: ffffffffffffffff
|
|
|
|
This option provides a quick way to decode a capability vector
|
|
represented in this form. For example, the missing capability from
|
|
this effective set is 0x0100. By running:
|
|
|
|
capsh --decode=0x0100
|
|
|
|
we observe that the missing capability is:
|
|
.BR cap_setpcap .
|
|
.TP
|
|
.BI --supports= xxx
|
|
As the kernel evolves, more capabilities are added. This option can be used
|
|
to verify the existence of a capability on the system. For example,
|
|
.BI --supports= cap_syslog
|
|
will cause capsh to promptly exit with a status of 1 when run on
|
|
kernel 2.6.27. However, when run on kernel 2.6.38 it will silently
|
|
succeed.
|
|
.TP
|
|
.SH "EXIT STATUS"
|
|
Following successful execution the tool exits with status 0. Following
|
|
an error, the tool immediately exits with status 1.
|
|
.SH AUTHOR
|
|
Written by Andrew G. Morgan <morgan@kernel.org>.
|
|
.SH "REPORTING BUGS"
|
|
Please report bugs to the author.
|
|
.SH "SEE ALSO"
|
|
.BR libcap (3),
|
|
.BR getcap (8), setcap (8)
|
|
and
|
|
.BR capabilities (7).
|