capng_change_id(3) [centos man page]
CAPNG_CHANGE_ID(3) Libcap-ng API CAPNG_CHANGE_ID(3) NAME
capng_change_id - change the credentials retaining capabilities SYNOPSIS
#include <cap-ng.h> int capng_change_id(int uid, int gid, capng_flags_t flag); DESCRIPTION
This function will change uid and gid to the ones given while retaining the capabilities previously specified in capng_update. It is not necessary and perhaps better if capng_apply has not been called prior to this function so that all necessary privileges are still intact. The caller is required to have CAP_SETPCAP capability still active before calling this function. This function also takes a flag parameter that helps to tailor the exact actions performed by the function to secure the environment. The option may be or'ed together. The legal values are: CAPNG_NO_FLAG Simply change uid and retain specified capabilities and that's all. CAPNG_DROP_SUPP_GRP After changing id, remove and supplement groups that may come with the account. CAPNG_CLEAR_BOUNDING After changing the uid and gid, clear the bounding set regardless to the internal representation already setup. RETURN VALUE
This returns 0 on success and a negative number on failure. -1 means capng has not been initted properly, -2 means a failure requesting to keep capabilities across the uid change, -3 means that applying the intermediate capabilities failed, -4 means changing gid failed, -5 means dropping supplemental groups failed, -6 means changing the uid failed, -7 means dropping the ability to retain caps across a uid change failed, -8 means clearing the bounding set failed, -9 means dropping CAP_SETPCAP failed. Note: the only safe action to do upon failure of this function is to probably exit. This is because you are likely in a situation with par- tial permissions and not what you intended. SEE ALSO
capng_update(3), capng_apply(3), prctl(2), capabilities(7) AUTHOR
Steve Grubb Red Hat June 2009 CAPNG_CHANGE_ID(3)
Check Out this Related Man Page
Privileges::Drop(3pm) User Contributed Perl Documentation Privileges::Drop(3pm) NAME
Privileges::Drop - A module to make it simple to drop all privileges, even POSIX groups. DESCRIPTION
This module tries to simplify the process of dropping privileges. This can be useful when your Perl program needs to bind to privileged ports, etc. This module is much like Proc::UID, except that it's implemented in pure Perl. Special care has been taken to also drop saved uid on platforms that support this, currently only test on on Linux. SYNOPSIS
use Privileges::Drop; # Do privileged stuff # Drops privileges and sets euid/uid to 1000 and egid/gid to 1000. drop_uidgid(1000, 1000); # Drop privileges to user nobody looking up gid and uid with getpwname # This also set the environment variables USER, LOGNAME, HOME and SHELL. drop_privileges('nobody'); METHODS
drop_uidgid($uid, $gid, @groups) Drops privileges and sets euid/uid to $uid and egid/gid to $gid. Supplementary groups can be set in @groups. drop_privileges($user) Drops privileges to the $user, looking up gid and uid with getpwname and calling drop_uidgid() with these arguments. The environment variables USER, LOGNAME, HOME and SHELL are also set to the values returned by getpwname. Returns the $uid and $gid on success and dies on error. NOTE: If drop_privileges() is called when you don't have root privileges it will just return undef; NOTES
As this module only uses Perl's built-in functions, it relies on them to work correctly. That means setting $GID and $EGID should also call setgroups(), something that might not have been the case before Perl 5.004. So if you are running an older version, Proc::UID might be a better choice. AUTHOR
Troels Liebe Bentsen <tlb@rapanden.dk> COPYRIGHT
Copyright(C) 2007-2009 Troels Liebe Bentsen This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself. perl v5.14.2 2012-03-10 Privileges::Drop(3pm)