SETPRIV(1) SETPRIV(1) setpriv - Linux setpriv [] [] Linux, execve(2). su(1) runuser(1), setpriv PAM . execve(2) set-user-ID. , setuidgid(8) daemontools, chpst(8) runit , . --clear-groups . -d, --dump . , , , . . --groups ... . GID . --inh-caps (+|-)..., --ambient-caps (+|-)..., --bounding-set (+|-)... , . . capabilities(7). + -, , . , capabilities(7) cap_, cap_N, N , Linux. +all -all . --inh-caps, --ambient-caps --bounding-set. ( capabilities(7)) : o , . o , . o , setpriv, . , , , , . . --keep-groups . --rgid, --egid --regid. --init-groups initgroups(3). --ruid --reuid. --list-caps . . --no-new-privs no_new_privs. execve(2) . , set-user-ID set-group-ID, . ( , . Linux, AppArmor, .) , . . prctl(2) Documentation/prctl/no_new_privs.txt Linux. no_new_privs Linux 3.5. --rgid gid, --egid gid, --regid gid , GID. gid . --clear-groups, --groups, --keep-groups --init-groups, gid. --ruid uid, --euid uid, --reuid uid , UID. uid . uid gid , exec . , , root, , , : setpriv --reuid=1000 --regid=1000 --inh-caps=-all --securebits (+|-)-... . . noroot, noroot_locked, no_setuid_fixup, no_setuid_fixup_locked keep_caps_locked. keep_caps execve(2), . --pdeathsig keep|clear|<> , . Linux, SELinux AppArmor, . --pdeathsig keep . --ptracer pid|any|none When Yama's restricted ptrace mode is in effect (that is, when /proc/sys/kernel/yama/ptrace_scope is set to 1), allow being traced via ptrace(2) by the process with the specified PID, or any process, or no process. See PR_SET_PTRACER(2const). (Note that this is not inherited by child processes, though it is preserved across execve(2).) This option has no effect when Yama is not enabled or is in a mode other than restricted ptrace. --selinux-label SELinux ( exec, ). setpriv, SELinux, execve(2) SELinux. (, no_new_privs.) runcon(1). --apparmor-profile AppArmor ( exec). setpriv, AppArmor, execve(2) AppArmor. --landlock-access Enable landlock restrictions for a specific set of system accesses. To allow specific subgroups of accesses use --landlock-rule. : setpriv --landlock-access : setpriv --landlock-access For a complete set of supported access categories use setpriv --help. --landlock-rule Allow one specific access from the categories blocked by --landlock-access. : --landlock-rule $ruletype:$access:$rulearg For example grant file read access to everything under /boot: --landlock-rule path-beneath:read-file:/boot --seccomp-filter Load raw BPF seccomp filter code from a file. Filters can for example be created with enosys. --reset-env , TERM; HOME, SHELL, USER, LOGNAME passwd ; PATH /usr/local/bin:/bin:/usr/bin /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin root. PATH , /bin /sbin ' /usr. SHELL /bin/sh, passwd . -h, --help . -V, --version . - , , setpriv 127. - . , no_new_privs, , SELinux ( ), SELinux. , su(1)/runuser(1) sudo(8) ( -g), : setpriv --reuid=1000 --regid=1000 --init-groups setuid(8) daemontools, : setpriv --reuid=1000 --regid=1000 --clear-groups Andy Lutomirski runuser(1), su(1), prctl(2), capabilities(7) landlock(7) setpriv util-linux, Linux . util-linux 2.41 2025-03-29 SETPRIV(1)