47 lines
1.0 KiB
Plaintext
47 lines
1.0 KiB
Plaintext
|
#!/bin/sh
|
||
|
|
set -e
|
||
|
|
|
||
|
|
help=$(cat <<EOF
|
||
|
|
Usage: $(basename "$0") [OPTIONS] CAPS -- [COMMAND]
|
||
|
|
|
||
|
|
Run a command with POSIX capabilities.
|
||
|
|
|
||
|
|
Options:
|
||
|
|
-u --user change the user of the running process (default: $USER)
|
||
|
|
-h --help print this message
|
||
|
|
|
||
|
|
Capabilities:
|
||
|
|
One or more space-separated capabilities. The names are in lowercase letters
|
||
|
|
and without the "cap_" prefix. See capabilities(7) for the one supported by
|
||
|
|
your system.
|
||
|
|
EOF
|
||
|
|
)
|
||
|
|
|
||
|
|
base_caps='cap_setpcap,cap_setuid,cap_setgid+ep'
|
||
|
|
extra_caps=''
|
||
|
|
user=$USER
|
||
|
|
comm=''
|
||
|
|
|
||
|
|
for arg in "$@"; do
|
||
|
|
case "$cur" in
|
||
|
|
user) user="$arg" ;;
|
||
|
|
comm) comm="$comm $arg" ;;
|
||
|
|
esac
|
||
|
|
if test -n "$cur"; then
|
||
|
|
test "$cur" != comm && cur=""; continue
|
||
|
|
fi
|
||
|
|
|
||
|
|
case "$arg" in
|
||
|
|
-h | --help) printf "%s\n" "$help" ;;
|
||
|
|
-u | --user) cur=user ;;
|
||
|
|
--) cur=comm ;;
|
||
|
|
*) capsh --supports="cap_$arg"
|
||
|
|
base_caps="$base_caps cap_$arg+eip"
|
||
|
|
extra_caps="$extra_caps,cap_$arg" ;;
|
||
|
|
esac
|
||
|
|
done
|
||
|
|
|
||
|
|
exec sudo -E capsh \
|
||
|
|
--caps="$base_caps" --keep=1 --user="$user" \
|
||
|
|
--addamb="$extra_caps" -- -c "$comm" $@
|