capexec runs a program with specified capabilities and other permissions.

Examples

capexec -capabilities=net_bind_service syslogd

capexec -capabilities=sys_admin,sys_module /bin/myprog

capexec -euid=404 cp /tmp/abc /home/bryanh/

capexec -asnobody bash

capexec -username http /usr/sbin/httpd

capexec -username http -capabilities="" -- httpd -f /etc/apache2.conf

Overview

capexec [-capabilities=capability_list]
[-ruid=uid] [-euid=uid] [-suid=uid] [-fsuid=uid]
[-rgid=gid] [-egid=gid] [-sgid=gid] [-fsgid=gid]
[-username=username] [-asnobody] [-arg0=string] [--]
program program_argument ...

Minimum unique abbreviation of option is acceptable. You may use double hyphens instead of single hyphen to denote options. You may use white space in place of the equals sign to separate an option name from its value.

General

capexec does an exec of a program you identify, with the arguments you supply. It arranges for process to have different privileges after the exec than it has when it execs capexec. If capexec is installed as an ordinary program, the ultimate privileges must of course be a subset of the original ones. But if capexec is installed setuid, they could be additional privileges.

The purpose of this is to let you run a program with limited privileges because you don't trust it. (Maybe you don't trust it because it came from an untrusted person; maybe you don't trust it simply because you know programs have bugs).

The privileges we're talking about come in two categories:

Note that to a Linux kernel, uid 0 is not special. The privileges Unix traditionally associates with uid 0 are instead associated with capabilities. However, uids might still mean something to certain application programs and uids and gids are crucial in determining permissions to files.

capexec always makes all three capability sets (permitted, effective, and inheritable) the same.

Any privilege that you don't explicitly set with some option remains in the same state after exec as before. For example, if the process execing capexec has uid 5 and you specify no options to indicate any other uid, the process after execing your program will still have uid 5.

capexec always preserves the entire environment (the set of environment variables).

Permission Needed

All the following permission requirements are imposed by the Linux kernel. capexec attempts to set whatever you tell it to set.

What you can and can't do with capexec depends on the capabilities and ids your process (the one running capexec) has. If capexec is installed in setuid or setgid status, be sure to consider the capabilities and ids that the process has after the exec of capexec, which may be different from those it has before the exec.

You may not run the program with any capability that you do not already have.

You may not in general run the program with different uids and gids than you have unless you have the setuid or setgid capability, respectively. However, there are some confusing rules that allow you to set one of the ids to the value of one of the others. capexec uses the setresuid() and setresgid() system calls to do the setting, so see their documentation for details.

To set the capabilities of another process, use capset.

Options

-capabilities=capability_list
A list of the capabilities the process is to have after exec.

Examples of capability_list:

chown

sys_admin,sys_module

!sysadmin,sys_module

This ! means "all capabilities except." Remember to escape this in a shell command

An empty string means no capabilities. A lone exclamation point (!) means all capabilities.

The default is to have the same capabilities after exec as before.

-ruid=uid
-euid=uid
-suid=uid
-fsuid=uid
-rgid=gid
-egid=gid
-sgid=gid
-fsgid=gid

The various ids the process is to have after exec. They are the real, effective, saved, and fileystem uids and gids.

You cannot specify these along with -username or -asnobody.

-asnobody
This option is a shorthand way to set all 8 ids to 999. This is a traditional uid to own no files at all and not be recognized by any program as special.
-nogroups
This option says to clear the supplemental group list of the process. Note that supplemental groups have nothing to do with the 4 process owner group ideas (real, effective, saved, and filesystem).

You cannot specify this along with -username.

-username=username
This option causes all the ids and the supplemental group list to be set as they would be for a login of username username, which normally means according to the files /etc/passwd and /etc/groups.

capexec uses C library functions getpwnam() and initgroups() to determine the meaning of username.

You cannot specify this along with -asnobody, -nogroups, or any of the *id options.

-arg0=string
With this option, you can specify what you want argument 0 of the exec to be. By default, capexec follows convention and uses a suffix of the program name -- the part that comes after the last slash (/).
--
Use this special null option to indicate that every argument after it is a program parameter, not an option, even if it starts with a hyphen. This is very useful if the arguments to the program you are execing look like capexec options (i.e. they start with hyphens).

Capability Names