Пакет: libcap

CAPSH(1)			 User Commands			      CAPSH(1)



NAME
       capsh - capability shell wrapper

SYNOPSIS
       capsh [OPTION]...

DESCRIPTION
       Linux  capability  support and use can be explored and constrained with
       this tool. This tool provides a handy wrapper for certain types of  ca‐
       pability testing and environment creation. It also provides some debug‐
       ging features useful for summarizing capability state.

OPTIONS
       capsh takes a number of optional arguments, acting on them in the order
       they are provided. They are as follows:

       --help Display the list of commands supported by capsh.

       --print
	      Display prevailing capability and related state.

       --current
	      Display  prevailing  capability  state,  1e capabilities and IAB
	      vector.

       -- [args]
	      Execute /bin/bash with trailing arguments. Note, you can use  -c
	      'command to execute' for specific commands.

       -+ [args]
	      Uses  cap_launch(3)  to  fork a child to execute the shell. When
	      the child exits, capsh exits with the status of the child	 or  1
	      in the case that the child was terminated by a signal.

       == [args]
	      Execute  capsh  again  with  the remaining arguments. Useful for
	      testing exec() behavior. Note, PATH is searched when the running
	      capsh  was found via the shell's PATH searching. If the exec oc‐
	      curs after a --chroot=/some/path argument the PATH  located  bi‐
	      nary  may not be resolve to the same binary as that running ini‐
	      tially. This behavior is an intended feature as it can  complete
	      the chroot transition.

       =+ [args]
	      Uses  cap_launch(3)  to  fork  a child to re-execute capsh. When
	      this child exits, capsh exits with the status of the child or  1
	      in the case that the child was terminated by a signal.

       --caps=cap-set
	      Set  the	prevailing  process capabilities to those specified by
	      cap-set.	Where cap-set is a text-representation	of  capability
	      state as per cap_from_text(3).

       --drop=cap-list
	      Remove the listed capabilities from the prevailing bounding set.
	      The capabilities are a comma-separated list of  capabilities  as
	      recognized by the cap_from_name(3) function. Use of this feature
	      requires that capsh is operating with CAP_SETPCAP in its	effec‐
	      tive set.

       --inh=cap-list
	      Set  the inheritable set of capabilities for the current process
	      to equal those provided in the comma separated  list.  For  this
	      action  to  succeed,  the prevailing process should already have
	      each of these capabilities in the union of the current inherita‐
	      ble  and permitted capability sets, or capsh should be operating
	      with CAP_SETPCAP in its effective set.

       --user=username
	      Assume the identity of the named user.  That  is,	 look  up  the
	      user's  UID and GID with getpwuid(3) and their group memberships
	      with getgrouplist(3) and set them all  using  cap_setuid(3)  and
	      cap_setgroups(3).	  Following  this command, the effective capa‐
	      bilities will be cleared, but the permitted set will not be,  so
	      the running program is still privileged.

       --mode Display	the   prevailing   libcap   mode  as  guessed  by  the
	      cap_get_mode(3) function.

       --mode=<mode>
	      Force the program into a cap_set_mode(3) security mode. This  is
	      a set of securebits and prevailing capability arrangement recom‐
	      mended for its pre-determined security stance.

       --modes
	      Lists all of the libcap modes supported by --mode=<mode>.

       --inmode=<mode>
	      Confirm that the prevailing mode is that specified in <mode>, or
	      exit with a status 1.

       --uid=id
	      Force  all  UID  values  to  equal id using the setuid(2) system
	      call. This argument may require explicit preparation of the  ef‐
	      fective set.

       --cap-uid=<uid>
	      use  the	cap_setuid(3)  function	 to set the UID of the current
	      process. This performs all  preparations	for  setting  the  UID
	      without  dropping	 capabilities  in  the process. Following this
	      command the prevailing effective capabilities will be lowered.

       --is-uid=<id>
	      Exit with status 1 unless the current UID equals <id>.

       --gid=<id>
	      Force all GID values to equal  id	 using	the  setgid(2)	system
	      call.

       --is-gid=<id>
	      Exit with status 1 unless the current GIQ equals <id>.

       --groups=<gid-list>
	      Set the supplementary groups to the numerical list provided. The
	      groups are set with the setgroups(2) system call. See --user for
	      a more convenient way of doing this.

       --keep=<0|1>
	      In a non-pure capability mode, the kernel provides liberal priv‐
	      ilege to the super-user. However, it is normally the  case  that
	      when  the super-user changes UID to some lesser user, then capa‐
	      bilities are dropped. For these situations, the kernel can  per‐
	      mit  the	process	 to  retain its capabilities after a setuid(2)
	      system call. This feature is known as keep-caps support. The way
	      to activate it using this program is with this argument. Setting
	      the value to 1 will cause keep-caps to be active. Setting it  to
	      0 will cause keep-caps to deactivate for the current process. In
	      all cases, keep-caps is deactivated when an exec() is performed.
	      See --secbitsand--mode for ways to disable this feature.

       --secbits=N
	      Set  the	security-bits for the program.	This is done using the
	      prctl(2) PR_SET_SECUREBITS operation.   The  list	 of  supported
	      bits  and	 their	meaning	 can  be  found in the <sys/secbits.h>
	      header file. The program will list these bits  via  the  --print
	      command.	The argument is expressed as a numeric bitmask, in any
	      of the formats permitted by strtoul(3).  An alternative to  this
	      bit-twiddling is embedded in the --mode* commandline arguments.

       --chroot=/some/path
	      Execute  the  chroot(2)  system call with the new root-directory
	      (/) equal to path.  This operation requires CAP_SYS_CHROOT to be
	      in effect.

       --forkfor=sec
	      This  command  causes the program to fork a child process for so
	      many seconds. The child will sleep that long and then exit  with
	      status  0.  The  purpose of this command is to support exploring
	      the way  processes  are  killable	 in  the  face	of  capability
	      changes.	See  the --killit command. Only one fork can be active
	      at a time.

       --killit=sig
	      This commands causes a --forkfor child to be kill(2)d  with  the
	      specified	 signal. The command then waits for the child to exit.
	      If the exit status does not match the signal being used to  kill
	      it, the capsh program exits with status 1.

       --explain=cap_xxx
	      Give  a  brief textual description of what privileges the speci‐
	      fied capability makes available to a running program. Note,  in‐
	      stead  of	 cap_xxx,  one	can provide a decimal number and capsh
	      will look up the corresponding capability's description.

       --shell=/full/path
	      This option changes the shell that is invoked when the  argument
	      == is encountered.

       --strict
	      This  option  toggles  the suppression of subsequent attempts to
	      fixup --caps= and --inh= arguments. That is, when the prevailing
	      Effective flag does not contain CAP_SETPCAP the to be raised In‐
	      heritable Flag values (in strict mode) are limited to  those  in
	      the  Permitted  set.  The strict mode defaults to off. Supplying
	      this argument an even number of times restores this default  be‐
	      havior.

       --suggest=phrase
	      Scan  each of the textual descriptions of capabilities, known to
	      capsh, and display all descriptions that include phrase.

       --decode=N
	      This is a convenience feature. If	 you  look  at	/proc/1/status
	      there are some capability related fields of the following form:

	      CapInh:	0000000000000000
	      CapPrm:	0000003fffffffff
	      CapEff:	0000003fffffffff
	      CapBnd:	0000003fffffffff
	      CapAmb:	0000000000000000

	      This  option  provides a quick way to decode a capability vector
	      represented in this hexadecimal form.  Here's  an	 example  that
	      decodes the two lowest capability bits:

	      $ capsh --decode=3
	      0x0000000000000003=cap_chown,cap_dac_override

       --supports=xxx
	      As  the kernel evolves, more capabilities are added. This option
	      can be used to verify the existence of a capability on the  sys‐
	      tem.  For	 example,  --supports=cap_syslog  will	cause capsh to
	      promptly exit with a status of 1	when  run  on  kernel  2.6.27.
	      However, when run on kernel 2.6.38 it will silently succeed.

       --has-p=xxx
	      Exit  with  status  1 unless the permitted vector has capability
	      xxx raised.

       --has-ambient
	      Performs a check to see if the running kernel  supports  ambient
	      capabilities. If not, capsh exits with status 1.

       --has-a=xxx
	      Exit  with status 1 unless the ambient vector has capability xxx
	      raised.

       --has-b=xxx
	      Exit with status 1 unless the bounding vector has capability xxx
	      in its (default) non-blocked state.

       --iab=xxx
	      Attempts to set the IAB tuple of inheritable capability vectors.
	      The   text   conventions	 used	for   xxx   are	   those    of
	      cap_iab_from_text(3).

       --addamb=xxx
	      Adds the specified ambient capability to the running process.

       --delamb=xxx
	      Removes  the  specified  ambient	capability  from  the  running
	      process.

       --noamb
	      Drops all ambient capabilities from the running process.

       --noenv
	      Suppresses overriding of the HOME and USER environment variables
	      when a subsequent --user argument is processed.

       --quiet
	      This argument is ignored unless it is the first one. If present,
	      it suppresses the capsh runtime check  to	 confirm  the  running
	      libcap  is recent enough that it can name all of the kernel sup‐
	      ported capability values.

EXIT STATUS
       Following successful execution, capsh exits with status 0. Following an
       error, capsh immediately exits with status 1.

AUTHOR
       Written by Andrew G. Morgan <morgan@kernel.org>.

REPORTING BUGS
       Please report bugs via:

       https://bugzilla.kernel.org/buglist.cgi?component=lib‐
       cap&list_id=1090757

SEE ALSO
       libcap(3), cap_from_text(3),  cap_iab(3)	 capabilities(7),  captree(8),
       getcap(8), getpcaps(8), and setcap(8).



libcap				  2021-10-22			      CAPSH(1)

SETCAP(8)		    System Manager's Manual		     SETCAP(8)



NAME
       setcap - set file capabilities

SYNOPSIS
       setcap  [-q] [-n <rootuid>] [-v] {capabilities|-|-r} filename [ ... ca‐
       pabilitiesN fileN ]

DESCRIPTION
       In the absence of the -v (verify) option setcap sets  the  capabilities
       of each specified filename to the capabilities specified.  The optional
       -n <rootuid> argument can be used to set the file  capability  for  use
       only in a user namespace with this root user ID owner. The -v option is
       used to verify that the specified capabilities are currently associated
       with  the file. If -v and -n are supplied, the -n <rootuid> argument is
       also verified.

       The   capabilities   are	  specified   in   the	 form	described   in
       cap_from_text(3).

       The  special capability string, '-', can be used to indicate that capa‐
       bilities are read from the standard input. In such cases, the  capabil‐
       ity set is terminated with a blank line.

       The special capability string, '-r', is used to remove a capability set
       from a file. Note, setting an empty capability set is not the  same  as
       removing	 it.  An empty set can be used to guarantee a file is not exe‐
       cuted with privilege in spite of the fact  that	the  prevailing	 ambi‐
       ent+inheritable	sets  would  otherwise bestow capabilities on executed
       binaries.

       The '-f', is used to force completion even when it is in some way  con‐
       sidered an invalid operation. This can affect '-r' and setting file ca‐
       pabilities the kernel will not be able to make sense of.

       The -q flag is used to make the program less verbose in its output.

EXIT CODE
       The setcap program will exit with a 0 exit code if successful. On fail‐
       ure, the exit code is 1.

REPORTING BUGS
       Please report bugs via:

       https://bugzilla.kernel.org/buglist.cgi?component=lib‐
       cap&list_id=1090757

SEE ALSO
       capsh(1),    cap_from_text(3),	 cap_get_file(3),     capabilities(7),
       user_namespaces(7), captree(8), getcap(8) and getpcaps(8).



				  2020-08-29			     SETCAP(8)

GETCAP(8)		    System Manager's Manual		     GETCAP(8)



NAME
       getcap - examine file capabilities

SYNOPSIS
       getcap [-v] [-n] [-r] [-h] filename [ ... ]

DESCRIPTION
       getcap displays the name and capabilities of each specified file.

OPTIONS
       -h  prints quick usage.

       -n  prints  any	non-zero user namespace root user ID value found to be
	   associated with a file's capabilities.

       -r  enables recursive search.

       -v  display all searched entries, even if the  have  no	file-capabili‐
	   ties.

       NOTE:  an  empty	 value	of '=' is not equivalent to an omitted (or re‐
       moved) capability on a file. This is most significant with  respect  to
       the  Ambient  capability vector, since a process with Ambient capabili‐
       ties will lose them when executing a file having '=' capabilities,  but
       will  retain the Ambient inheritance of privilege when executing a file
       with an omitted file capability. This special empty setting can be used
       to  prevent  a binary from executing with privilege. For some time, the
       kernel honored this suppression for root executing the  file,  but  the
       kernel  developers  decided  after a number of years that this behavior
       was unexpected for the superuser and reverted it	 just  for  that  user
       identity.  Suppression of root privilege, for a process tree, is possi‐
       ble, using the capsh(1) --mode option.

       filename
	   One file per line.

REPORTING BUGS
       Please report bugs via:

       https://bugzilla.kernel.org/buglist.cgi?component=lib‐
       cap&list_id=1090757

SEE ALSO
       capsh(1),  cap_get_file(3), cap_to_text(3), capabilities(7), user_name‐
       spaces(7), captree(8), getpcaps(8) and setcap(8).



				  2021-08-29			     GETCAP(8)

PAM_CAP(8)		    System Manager's Manual		    PAM_CAP(8)



NAME
       pam_cap - Capabilities PAM module

SYNOPSIS
       [service-name] auth control-flag pam_cap [options]

DESCRIPTION
       The  pam_so  module  can be used to specify Inheritable capabilities to
       process trees rooted in the PAM application. The module	also  supports
       blocking	 Bounding  vector capabilities and adding Ambient vector capa‐
       bilities.

       For general PAM apps to work correctly, the  application	 must  be  run
       with at least CAP_SETPCAP raised in its Permitted capability flag. Many
       PAM applications run as root, which has all of the bits in the Bounding
       set  raised,  so this requirement is typically met. To grant an Ambient
       vector capability, the corresponding Permitted bit must be available to
       the application too.

       The pam_so module is a Linux-PAM auth module. It provides functionality
       to back pam_sm_authenticate() and pam_sm_setcred(). It  is  the	latter
       that  actually  modifies the inheritable 3-tuple of capability vectors:
       the configured IAB. In a typical application  configuration  you	 might
       have a line like this:


	   auth	   optional    pam_cap.so



       The module arguments are:

       ○   debug: While supported, this is a no-op at present.

       ○   config=/path/to/file:  Override  the default config for the module.
	   The unspecified default value for this file is  /etc/security/capa‐
	   bility.conf.	 Note, config=/dev/null is a valid value. See default=
	   below for situations in which this might be appropriate.

       ○   keepcaps: This is as much as the pam_cap.so module can do  to  help
	   an  application  support  use of the Ambient capability vector. The
	   application support for the Ambient set  is	poor  at  the  present
	   time.

       ○   autoauth:  This  argument  causes  the  pam_cap.so module to return
	   PAM_SUCCESS if the PAM_USER being authenticated exists. The absence
	   of  this  argument will cause pam_cap.so to only return PAM_SUCCESS
	   if the PAM_USER is covered by a specific  rule  in  the  prevailing
	   config file.

       ○   default=IAB:	 This argument is ignored if the prevailing configura‐
	   tion file contains a "*" rule. If there is no such  rule,  the  IAB
	   3-tuple  is	inserted  at the end of the config file and applies to
	   all PAM_USERs not covered by an earlier rule. Note, if you want all
	   PAM_USERs  to  be  covered by this default rule, you can supply the
	   module argument config=/dev/null.

       ○   defer: This argument arranges for the IAB capabilities granted to a
	   user	 to be added sufficiently late in the Linux-PAM authentication
	   stack that they stick. That is, after the application does its  se‐
	   tuid(UID)  call.  As	 such, in conjunction with the keepcaps module
	   argument, such compliant applications can support granting  Ambient
	   vector capabilities with pam_cap.so.




SEE ALSO
       pam.conf(5), capability.conf(5), pam(8).



				  April 2024			    PAM_CAP(8)

GETPCAPS(8)		    System Manager's Manual		   GETPCAPS(8)



NAME
       getpcaps - display process capabilities

SYNOPSIS
       getpcaps [optional args] pid...

DESCRIPTION
       getpcaps	 displays  the	capabilities on the processes indicated by the
       pid value(s) given on the command line.	A pid of 0 displays the	 capa‐
       bilities of the process that is running getpcaps itself.

       The capabilities are displayed in the cap_from_text(3) format.

       Optional arguments:

       --help or --usage
	      Displays usage information and exits.

       --ugly or --legacy
	      Displays output in a somewhat ugly legacy format.

       --verbose
	      Displays	usage in a legacy-like format but not quite so ugly in
	      modern default terminal fonts.

       --iab  Displays IAB tuple capabilities from  the	 process.  The	output
	      format  here  is the text format described in cap_iab(3). Double
	      quotes encase the regular process capabilities and square brack‐
	      ets  encase  the	IAB  tuple.  This  format is also used by cap‐
	      tree(8).

REPORTING BUGS
       Please report bugs via:

       https://bugzilla.kernel.org/buglist.cgi?component=lib‐
       cap&list_id=1090757

SEE ALSO
       capsh(1),  cap_from_text(3),  cap_iab(3),  capabilities(7), captree(8),
       getcap(8), and setcap(8).

AUTHOR
       This manual page was originally written by Robert Bihlmeyer  <robbe@de‐
       bian.org>, for the Debian GNU/Linux system (but may be used by others).




				  2020-08-29			   GETPCAPS(8)

CAPTREE(8)		    System Manager's Manual		    CAPTREE(8)



NAME
       captree - display tree of process capabilities

SYNOPSIS
       captree [OPTIONS] [(pid|glob-name) ...]

DESCRIPTION
       captree	displays the capabilities on the mentioned processes indicated
       by pid or glob-name value(s) given on the command line. If no  pid  etc
       values  are  supplied,  pid=1 is implied. A pid value of 0 displays all
       the processes known to the kernel.

       The POSIX.1e  capabilities  are	displayed  in  double  quotes  in  the
       cap_from_text(3) format. The IAB tuple of capabilities is displayed be‐
       tween square brackets in	 the  text  format  described  in  cap_iab(3).
       Note, the IAB tuple text is omitted if it contains empty A and B compo‐
       nents. This is because the regular POSIX.1e text	 contains  information
       about  the  Inheritable	flag  already. This behavior can be overridden
       with the --verbose command line argument.

       Optional arguments (which must precede the list of  pid|glob-name  val‐
       ues):

       --help Displays	usage  information and exits. Note, modern Go runtimes
	      exit with status 0 in this case, but older  runtimes  exit  with
	      status 2.

       --verbose
	      Displays	capability  sets  and  IAB  tuples  even when they are
	      empty, or redundant.

       --depth=n
	      Displays the process tree to a depth of n.   Note,  the  default
	      value for this parameter is 0, which implies infinite depth.

       --colo[u]r=false
	      Colo[u]rs	 the  targeted	PIDs, if stdout is a TTY, in red. This
	      option  defaults	to  true  when	running	  via	a   TTY.   The
	      --color=false argument will suppress this color. Piping the out‐
	      put into some other  program  will  also	suppress  the  use  of
	      colo[u]r.

EXIT STATUS
       If  the supplied target cannot be found the exit status is 1. Should an
       unrecognized option be provided, the exit status is 2. Otherwise,  cap‐
       tree exits with status 0.

REPORTING BUGS
       Please report bugs via:

       https://bugzilla.kernel.org/buglist.cgi?component=lib‐
       cap&list_id=1090757

SEE ALSO
       cap_from_text(3), capabilities(7), and cap_iab(3).

       There is a longer article about captree, which includes some  examples,
       here:

	  https://sites.google.com/site/fullycapable/captree

AUTHOR
       Andrew G. Morgan <morgan@kernel.org>



				  2022-04-11			    CAPTREE(8)