doc/capsh.1 - platform/external/libcap - Gitiles

 .\"
 .\" capsh.1 Man page added 2009-12-23 Andrew G. Morgan <morgan@kernel.org>
 .\"
 .TH CAPSH 1 "2011-04-24" "libcap 2" "User Commands"
 .SH NAME
 capsh \- capability shell wrapper
 .SH SYNOPSIS
 .B capsh
 [\fIOPTION\fR]...
 .SH DESCRIPTION
 Linux capability support and use can be explored and constrained with
 this tool. This tool provides a handy wrapper for certain types
 of capability testing and environment creation. It also provides some
 debugging features useful for summarizing capability state.
 .SH OPTIONS
 The tool takes a number of optional arguments, acting on them in the
 order they are provided. They are as follows:
 .TP 22
 .B --print
 Display prevailing capability and related state.
 .TP
 .BI -- " [args]"
 Execute
 .B /bin/bash
 with trailing arguments. Note, you can use
 .B -c 'command to execute'
 for specific commands.
 .TP
 .B ==
 Execute
 .B capsh
 again with remaining arguments. Useful for testing
 .BR exec ()
 behavior.
 .TP
 .BI --caps= cap-set
 Set the prevailing process capabilities to those specified by
 .IR cap-set .
 Where
 .I cap-set
 is a text-representation of capability state as per
 .BR cap_from_text (3).
 .TP
 .BI --drop= cap-list
 Remove the listed capabilities from the prevailing bounding set. The
 capabilites are a comma separated list of capabilities as recognized
 by the
 .BR cap_from_name (3)
 function. Use of this feature requires that the capsh program is
 operating with
 .B CAP_SETPCAP
 in its effective set.
 .TP
 .BI --inh= cap-list
 Set the inheritable set of capabilities for the current process to
 equal those provided in the comma separated list. For this action to
 succeed, the prevailing process should already have each of these
 capabilities in the union of the current inheritable and permitted
 capability sets, or the capsh program is operating with
 .B CAP_SETPCAP
 in its effective set.
 .TP
 .BI --user= username
 Assume the identity of the named user. That is, look up the user's
 .IR uid " and " gid
 with
 .BR getpwuid (3)
 and their group memberships with
 .BR getgrouplist (3)
 and set them all.
 .TP
 .BI --uid= id
 Force all
 .B uid
 values to equal
 .I id
 using the
 .BR setuid (2)
 system call.
 .TP
 .BI --gid= <id>
 Force all
 .B gid
 values to equal
 .I id
 using the
 .BR setgid (2)
 system call.
 .TP
 .BI --groups= <id-list>
 Set the supplementary groups to the numerical list provided. The
 groups are set with the
 .BR setgroups (2)
 system call.
 .TP
 .BI --keep= <0|1>
 In a non-pure capability mode, the kernel provides liberal privilege
 to the super-user. However, it is normally the case that when the
 super-user changes
 .I uid
 to some lesser user, then capabilities are dropped. For these
 situations, the kernel can permit the process to retain its
 capabilities after a
 .BR setuid (2)
 system call. This feature is known as
 .I keep-caps
 support. The way to activate it using this script is with this
 argument. Setting the value to 1 will cause
 .I keep-caps
 to be active. Setting it to 0 will cause keep-caps to deactivate for
 the current process. In all cases,
 .I keep-caps
 is deactivated when an
 .BR exec ()
 is performed. See
 .B --secbits
 for ways to disable this feature.
 .TP
 .BI --secbits= N
 XXX - need to document this feature.
 .TP
 .BI --chroot= path
 Execute the
 .BR chroot (2)
 system call with the new root-directory (/) equal to
 .IR path .
 This operation requires
 .B CAP_SYS_CHROOT
 to be in effect.
 .TP
 .BI --forkfor= sec
 .TP
 .BI --killit= sig
 .TP
 .BI --decode= N
 This is a convenience feature. If you look at
 .B /proc/1/status
 there are some capability related fields of the following form:

  CapInh:	0000000000000000
  CapPrm:	ffffffffffffffff
  CapEff:	fffffffffffffeff
  CapBnd:	ffffffffffffffff

 This option provides a quick way to decode a capability vector
 represented in this form. For example, the missing capability from
 this effective set is 0x0100. By running:

  capsh --decode=0x0100

 we observe that the missing capability is:
 .BR cap_setpcap .
 .TP
 .BI --supports= xxx
 As the kernel evolves, more capabilities are added. This option can be used
 to verify the existence of a capability on the system. For example,
 .BI --supports= cap_syslog
 will cause capsh to promptly exit with a status of 1 when run on
 kernel 2.6.27.  However, when run on kernel 2.6.38 it will silently
 succeed.
 .TP
 .SH "EXIT STATUS"
 Following successful execution the tool exits with status 0. Following
 an error, the tool immediately exits with status 1.
 .SH AUTHOR
 Written by Andrew G. Morgan <morgan@kernel.org>.
 .SH "REPORTING BUGS"
 Please report bugs to the author.
 .SH "SEE ALSO"
 .BR libcap (3),
 .BR getcap (8), setcap (8)
 and
 .BR capabilities (7).
	.\"
	.\" capsh.1 Man page added 2009-12-23 Andrew G. Morgan <morgan@kernel.org>
	.\"
	.TH CAPSH 1 "2011-04-24" "libcap 2" "User Commands"
	.SH NAME
	capsh \- capability shell wrapper
	.SH SYNOPSIS
	.B capsh
	[\fIOPTION\fR]...
	.SH DESCRIPTION
	Linux capability support and use can be explored and constrained with
	this tool. This tool provides a handy wrapper for certain types
	of capability testing and environment creation. It also provides some
	debugging features useful for summarizing capability state.
	.SH OPTIONS
	The tool takes a number of optional arguments, acting on them in the
	order they are provided. They are as follows:
	.TP 22
	.B --print
	Display prevailing capability and related state.
	.TP
	.BI -- " [args]"
	Execute
	.B /bin/bash
	with trailing arguments. Note, you can use
	.B -c 'command to execute'
	for specific commands.
	.TP
	.B ==
	Execute
	.B capsh
	again with remaining arguments. Useful for testing
	.BR exec ()
	behavior.
	.TP
	.BI --caps= cap-set
	Set the prevailing process capabilities to those specified by
	.IR cap-set .
	Where
	.I cap-set
	is a text-representation of capability state as per
	.BR cap_from_text (3).
	.TP
	.BI --drop= cap-list
	Remove the listed capabilities from the prevailing bounding set. The
	capabilites are a comma separated list of capabilities as recognized
	by the
	.BR cap_from_name (3)
	function. Use of this feature requires that the capsh program is
	operating with
	.B CAP_SETPCAP
	in its effective set.
	.TP
	.BI --inh= cap-list
	Set the inheritable set of capabilities for the current process to
	equal those provided in the comma separated list. For this action to
	succeed, the prevailing process should already have each of these
	capabilities in the union of the current inheritable and permitted
	capability sets, or the capsh program is operating with
	.B CAP_SETPCAP
	in its effective set.
	.TP
	.BI --user= username
	Assume the identity of the named user. That is, look up the user's
	.IR uid " and " gid
	with
	.BR getpwuid (3)
	and their group memberships with
	.BR getgrouplist (3)
	and set them all.
	.TP
	.BI --uid= id
	Force all
	.B uid
	values to equal
	.I id
	using the
	.BR setuid (2)
	system call.
	.TP
	.BI --gid= <id>
	Force all
	.B gid
	values to equal
	.I id
	using the
	.BR setgid (2)
	system call.
	.TP
	.BI --groups= <id-list>
	Set the supplementary groups to the numerical list provided. The
	groups are set with the
	.BR setgroups (2)
	system call.
	.TP
	.BI --keep= <0\|1>
	In a non-pure capability mode, the kernel provides liberal privilege
	to the super-user. However, it is normally the case that when the
	super-user changes
	.I uid
	to some lesser user, then capabilities are dropped. For these
	situations, the kernel can permit the process to retain its
	capabilities after a
	.BR setuid (2)
	system call. This feature is known as
	.I keep-caps
	support. The way to activate it using this script is with this
	argument. Setting the value to 1 will cause
	.I keep-caps
	to be active. Setting it to 0 will cause keep-caps to deactivate for
	the current process. In all cases,
	.I keep-caps
	is deactivated when an
	.BR exec ()
	is performed. See
	.B --secbits
	for ways to disable this feature.
	.TP
	.BI --secbits= N
	XXX - need to document this feature.
	.TP
	.BI --chroot= path
	Execute the
	.BR chroot (2)
	system call with the new root-directory (/) equal to
	.IR path .
	This operation requires
	.B CAP_SYS_CHROOT
	to be in effect.
	.TP
	.BI --forkfor= sec
	.TP
	.BI --killit= sig
	.TP
	.BI --decode= N
	This is a convenience feature. If you look at
	.B /proc/1/status
	there are some capability related fields of the following form:

	CapInh: 0000000000000000
	CapPrm: ffffffffffffffff
	CapEff: fffffffffffffeff
	CapBnd: ffffffffffffffff

	This option provides a quick way to decode a capability vector
	represented in this form. For example, the missing capability from
	this effective set is 0x0100. By running:

	capsh --decode=0x0100

	we observe that the missing capability is:
	.BR cap_setpcap .
	.TP
	.BI --supports= xxx
	As the kernel evolves, more capabilities are added. This option can be used
	to verify the existence of a capability on the system. For example,
	.BI --supports= cap_syslog
	will cause capsh to promptly exit with a status of 1 when run on
	kernel 2.6.27. However, when run on kernel 2.6.38 it will silently
	succeed.
	.TP
	.SH "EXIT STATUS"
	Following successful execution the tool exits with status 0. Following
	an error, the tool immediately exits with status 1.
	.SH AUTHOR
	Written by Andrew G. Morgan <morgan@kernel.org>.
	.SH "REPORTING BUGS"
	Please report bugs to the author.
	.SH "SEE ALSO"
	.BR libcap (3),
	.BR getcap (8), setcap (8)
	and
	.BR capabilities (7).