capexec runs a program with specified capabilities and other permissions.
capexec -capabilities=net_bind_service syslogd
capexec -capabilities=sys_admin,sys_module /bin/myprog
capexec -euid=404 cp /tmp/abc /home/bryanh/
capexec -asnobody bash
capexec -username http /usr/sbin/httpd
capexec -username http -capabilities="" -- httpd -f /etc/apache2.conf
capexec
[-capabilities=capability_list]
[-ruid=uid]
[-euid=uid]
[-suid=uid]
[-fsuid=uid]
[-rgid=gid]
[-egid=gid]
[-sgid=gid]
[-fsgid=gid]
[-username=username]
[-asnobody]
[-arg0=string]
[--]
program program_argument ...
Minimum unique abbreviation of option is acceptable. You may use double hyphens instead of single hyphen to denote options. You may use white space in place of the equals sign to separate an option name from its value.
capexec does an exec of a program you identify, with the arguments you supply. It arranges for process to have different privileges after the exec than it has when it execs capexec. If capexec is installed as an ordinary program, the ultimate privileges must of course be a subset of the original ones. But if capexec is installed setuid, they could be additional privileges.
The purpose of this is to let you run a program with limited privileges because you don't trust it. (Maybe you don't trust it because it came from an untrusted person; maybe you don't trust it simply because you know programs have bugs).
The privileges we're talking about come in two categories:
Note that to a Linux kernel, uid 0 is not special. The privileges Unix traditionally associates with uid 0 are instead associated with capabilities. However, uids might still mean something to certain application programs and uids and gids are crucial in determining permissions to files.
capexec always makes all three capability sets (permitted, effective, and inheritable) the same.
Any privilege that you don't explicitly set with some option remains in the same state after exec as before. For example, if the process execing capexec has uid 5 and you specify no options to indicate any other uid, the process after execing your program will still have uid 5.
capexec always preserves the entire environment (the set of environment variables).
All the following permission requirements are imposed by the Linux kernel. capexec attempts to set whatever you tell it to set.
What you can and can't do with capexec depends on the capabilities and ids your process (the one running capexec) has. If capexec is installed in setuid or setgid status, be sure to consider the capabilities and ids that the process has after the exec of capexec, which may be different from those it has before the exec.
You may not run the program with any capability that you do not already have.
You may not in general run the program with different uids and gids than you have unless you have the setuid or setgid capability, respectively. However, there are some confusing rules that allow you to set one of the ids to the value of one of the others. capexec uses the setresuid() and setresgid() system calls to do the setting, so see their documentation for details.
To set the capabilities of another process, use capset.
Examples of capability_list:
chown
sys_admin,sys_module
!sysadmin,sys_module
This ! means "all capabilities except." Remember to escape this in a shell command
An empty string means no capabilities. A lone exclamation point (!) means all capabilities.
The default is to have the same capabilities after exec as before.
The various ids the process is to have after exec. They are the real, effective, saved, and fileystem uids and gids.
You cannot specify these along with -username or -asnobody.
You cannot specify this along with -username.
capexec uses C library functions getpwnam() and initgroups() to determine the meaning of username.
You cannot specify this along with -asnobody, -nogroups, or any of the *id options.