File: priv_wrapper.1.txt

package info (click to toggle)
priv-wrapper 1.0.1-6
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 324 kB
  • sloc: ansic: 847; sh: 11; makefile: 10
file content (100 lines) | stat: -rw-r--r-- 2,534 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
priv_wrapper(1)
===============
:revdate: 2022-09-05
:author: Samba Team

NAME
----

priv_wrapper - A library to disable resource limits and other privilege dropping.

SYNOPSIS
--------

LD_PRELOAD=libpriv_wrapper.so PRIV_WRAPPER=1 [PRIV_WRAPPER_CHROOT_DISABLE=1] [PRIV_WRAPPER_PRCTL_DISABLE=<options>] [PRIV_WRAPPER_SETRLIMIT_DISABLE=<options>]

DESCRIPTION
-----------

priv_wrapper aims to help running processes which are dropping privileges or are
restricting resources in test environments.
It can disable chroot, prctl, pledge and setrlmit system calls. A disabled call always
succeeds (i.e. returns 0) and does nothing.
The system call pledge exists only on OpenBSD.

ENVIRONMENT VARIABLES
---------------------

*PRIV_WRAPPER*::

This variable activates priv_wrapper when set to '1'.

*PRIV_WRAPPER_DISABLE_DEEPBIND*::

This allows you to disable deep binding in priv_wrapper.
This is useful for running valgrind tools or sanitizers like (address, undefined, thread).

*PRIV_WRAPPER_CHROOT_DISABLE*::

If this is set to '1' then chroot() system call will be disabled.

*PRIV_WRAPPER_PRCTL_DISABLE*::

prctl calls can be disabled using this environment variable. You can either disable all
calls using PRIV_WRAPPER_PRCTL_DISABLE=ALL or special options using e.g.
PRIV_WRAPPER_PRCTL_DISABLE=PR_SET_SECCOMP|PR_SET_NO_NEW_PRIVS

Supported options are:

PR_SET_SECCOMP
PR_SET_NO_NEW_PRIVS
PR_SET_DUMPABLE

*PRIV_WRAPPER_SETRLIMIT_DISABLE*::

Either all resource limits can be disabled using PRIV_WRAPPER_SETRLIMIT_DISABLE=ALL or
you can pick specific resources using e.g:

PRIV_WRAPPER_SETRLIMIT_DISABLE=RLIMIT_STACK|RLIMIT_CORE

Supported options are:

RLIMIT_CPU
RLIMIT_FSIZE
RLIMIT_DATA
RLIMIT_STACK
RLIMIT_CORE
RLIMIT_RSS
RLIMIT_NOFILE
RLIMIT_AS
RLIMIT_NPROC
RLIMIT_MEMLOCK
RLIMIT_LOCKS
RLIMIT_SIGPENDING
RLIMIT_MSGQUEUE
RLIMIT_NICE
RLIMIT_RTPRIO
RLIMIT_RTTIME
RLIMIT_NLIMITS

*PRIV_WRAPPER_PLEDGE_DISABLE*::

If this is set to '1' then pledge() system call will be disabled.

*PRIV_WRAPPER_DEBUGLEVEL*::

If you need to see what is going on in priv_wrapper itself or try to find a
bug, you can enable logging support in priv_wrapper if you built it with
debug symbols.

- 0 = ERROR
- 1 = WARNING
- 2 = DEBUG
- 3 = TRACE

EXAMPLE
-------

LD_PRELOAD=libpriv_wrapper.so PRIV_WRAPPER=1 PRIV_WRAPPER_PRCTL_DISABLE="PR_SET_SECCOMP|PR_SET_NO_NEW_PRIVS"

LD_PRELOAD=libpriv_wrapper.so PRIV_WRAPPER=1 PRIV_WRAPPER_CHROOT_DISABLE=1 PRIV_WRAPPER_PRCTL_DISABLE=ALL PRIV_WRAPPER_SETRLIMIT_DISABLE="RLIMIT_CPU|RLIMIT_DATA|RLIMIT_NLIMITS"