$ setpriv --help
Usage:
setpriv [options] <program> [<argument>...]
Run a program with different privilege settings.
Options:
-d, --dump show current state (and do not exec)
--nnp, --no-new-privs disallow granting new privileges
--ambient-caps <caps,...> set ambient capabilities
--inh-caps <caps,...> set inheritable capabilities
--bounding-set <caps> set capability bounding set
--ruid <uid|user> set real uid
--euid <uid|user> set effective uid
--rgid <gid|user> set real gid
--egid <gid|group> set effective gid
--reuid <uid|user> set real and effective uid
--regid <gid|group> set real and effective gid
--clear-groups clear supplementary groups
--keep-groups keep supplementary groups
--init-groups initialize supplementary groups
--groups <group,...> set supplementary groups by UID or name
--securebits <bits> set securebits
--pdeathsig keep|clear|<signame>
set or clear parent death signal
--selinux-label <label> set SELinux label
--apparmor-profile <pr> set AppArmor profile
--reset-env clear all environment and initialize
HOME, SHELL, USER, LOGNAME and PATH
-h, --help display this help
-V, --version display version
This tool can be dangerous. Read the manpage, and be careful.
For more details see setpriv(1).
使用
# 以用户 ID 1000 和组 ID 1000 的身份运行命令,并移除所有继承能力
setpriv --reuid=1000 --regid=1000 --inh-caps=-all <command>
# 以用户 ID 1000 和组 ID 1000 的身份运行命令,并initialize supplementary groups
setpriv --reuid=1000 --regid=1000 --init-groups <command>
# 以用户 ID 1000 和组 ID 1000 的身份运行命令,并清除辅助组
setpriv --reuid=1000 --regid=1000 --clear-groups <command>
# 以 httpd_t SELinux 类型运行命令
setpriv --selinux-label system_u:system_r:httpd_t:s0 <command>
We use cookies and similar methods to recognise visitors and remember preferences. We also use them to measure
campaign effectiveness and analyse site traffic.
By selecting 'Accept', you consent to the use of these methods by us and trusted third parties.