SETPRIV(1) SETPRIV(1) setpriv - setpriv [] [] execve(2). su(1) runuser(1), setpriv PAM, . - execve(2) setuidgid(8) daemontools, chpst(8) runit, . --clear-groups . -d, --dump . , , . . --groups ... . - . --inh-caps (+|-)..., --ambient-caps (+|-)..., --bounding-set (+|-)... , . capabilities(7). +cap -cap, . cap capabilities(7) cap_ cap_N, N . +all -all . --inh-caps, --ambient-caps --bounding-set. ( capabilities(7)) : o . o . o setpriv, . , , . . --keep-groups . --rgid, --egid, --regid. --init-groups ,,initgroups3". --ruid --reuid. --list-caps . . --no-new-privs no_new_privs. , execve(2) . , -- --, . ( , . LSM-, AppArmor, .) . prctl(2) Documentation/prctl/no_new_privs.txt . __ 3.5. --rgid , --egid , --regid , , -. . , --clear-groups, --groups, --keep-groups, --init-groups . --ruid , --euid , --reuid , , -. . - - , . , , : setpriv --reuid=1000 --regid=1000 --inh-caps=-all --securebits (+|-)-... . . noroot, noroot_locked, no_setuid_fixup, no_setuid_fixup_locked, keep_caps_locked. keep_caps execve-(2) . --pdeathsig keep|clear|<> , . LSM-, AppArmor, . --pdeathsig keep . --ptracer pid|any|none When Yama's restricted ptrace mode is in effect (that is, when /proc/sys/kernel/yama/ptrace_scope is set to 1), allow being traced via ptrace(2) by the process with the specified PID, or any process, or no process. See PR_SET_PTRACER(2const). (Note that this is not inherited by child processes, though it is preserved across execve(2).) This option has no effect when Yama is not enabled or is in a mode other than restricted ptrace. --selinux-label ( ,,exec"-, ,,dyntrans"-). setpriv- , execve(2) . (, no_new_privs.) runcon(1). --apparmor-profile AppArmor ( ). setpriv AppArmor , execve(2) AppArmor-. --landlock-access ,,landlock" . --landlock-rule. : setpriv --landlock-access : setpriv --landlock-access :remove-file,make-dir setpriv --help. --landlock-rule --landlock-access. : --landlock-rule $_:$:$_ /boot: --landlock-rule -:-:/boot --seccomp-filter file Load raw BPF seccomp filter code from a file. Filters can for example be created with enosys. --reset-env ; , , , _ ; /usr/local/bin:/bin:/usr/bin /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin . /bin /sbin /usr. /bin/sh . -h, --help . -V, --version Display version and exit. , setpriv 127. - . , no_new_privs ( ) . su(1)/runuser(1), sudo(8) ( -g), : setpriv --reuid=1000 --regid=1000 --init-groups setuid(8) , : setpriv --reuid=1000 --regid=1000 --clear-groups Andy Lutomirski runuser(1), su(1), prctl(2), capabilities(7) landlock(7) For bug reports, use the issue tracker . setpriv ,,util-linux" . util-linux 2.41 2025-03-29 SETPRIV(1)