scripts: add withcap

scripts/withcap

@@ -0,0 +1,46 @@
+#!/bin/sh
+set -e
+
+help=$(cat <<EOF
+Usage: $(basename "$0") [OPTIONS] CAPS -- [COMMAND]
+
+Run a command with POSIX capabilities.
+
+Options:
+  -u --user    change the user of the running process (default: $USER)
+  -h --help    print this message
+
+Capabilities:
+  One or more space-separated capabilities. The names are in lowercase letters
+  and without the "cap_" prefix. See capabilities(7) for the one supported by
+  your system.
+EOF
+)
+
+base_caps='cap_setpcap,cap_setuid,cap_setgid+ep'
+extra_caps=''
+user=$USER
+comm=''
+
+for arg in "$@"; do
+  case "$cur" in
+    user) user="$arg" ;;
+    comm) comm="$comm $arg" ;;
+  esac
+  if test -n "$cur"; then
+    test "$cur" != comm && cur=""; continue
+  fi
+
+  case "$arg" in
+    -h | --help) printf "%s\n" "$help" ;;
+    -u | --user) cur=user ;;
+    --) cur=comm ;;
+    *) capsh --supports="cap_$arg"
+       base_caps="$base_caps cap_$arg+eip"
+       extra_caps="$extra_caps,cap_$arg" ;;
+  esac
+done
+
+exec sudo -E capsh \
+  --caps="$base_caps" --keep=1 --user="$user" \
+  --addamb="$extra_caps" -- -c "$comm" $@