Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   31559 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

suattr(1M)							    suattr(1M)

NAME
     suattr - Execute shell command with specified capabilities at specified
     MAC label

SYNOPSIS
     suattr  [ -M label ] [ -C capability set ] [ -m ][ arg ... ]

DESCRIPTION
     suattr allows root to execute a command using the given capabilities set
     and at the given MAC label.

     suattr is designed primarily for system initialization, to grant commands
     executed by startup scripts the privileges they need.  To use suattr, the
     real user id must be 0.

OPTIONS
     -C <capability set>
	  Execute the requested command with the specified capability set . If
	  capabilities are not configured on your system, this option is
	  silently ignored.

     -M <MAC label>
	  Execute the requested command at the specified label . The invoker
	  of su must be cleared to operate at the requested label. If that
	  label is different than the user's current label, stdin, stdout, and
	  stderr will be closed.  If MAC is not configured on your system,
	  this option is silently ignored.

     -m	  Execute the command with a moldy process label.

     The remaining arguments given on the command line are passed to /bin/sh.
     An arg of the form -c string executes string via the shell and an arg of
     -r gives the user a restricted shell.

EXAMPLES
	  /sbin/suattr -M dbadmin -c "killall syslogd"

     The command killall syslogd is executed at the dbadmin label.

	  /sbin/suattr -C CAP_SWAP_MGT+ip -c "/sbin/swap -m"

     Set the inherited and permitted capability set to	CAP_SWAP_MGP and
     execute swap.  This has the effect of granting swap the  capability to
     execute the swap(2) system call.

									Page 1

suattr(1M)							    suattr(1M)

	  /sbin/suattr -m -c "mv /tmp /.oldtmp"

     Has the effect of preserving the moldy bit when /tmp is moved.

FILES
     /etc/passwd     system's password file
     /etc/capability system's capability file
     /etc/clearance  user clearance label information file

SEE ALSO
     capability(4), clearance(4), newlabel(1m), chcap(1).

DIAGNOSTICS
     Unexpected results, including a system which hangs during startup, may
     occur if the user root is removed from /etc/passwd or if root's
     capability set or clearance range is altered.

									Page 2

Vote for polarhome