File: uid_wrapper.1.txt

package info (click to toggle)
uid-wrapper 1.2.1%2Bdfsg1-1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 464 kB
  • ctags: 300
  • sloc: ansic: 4,859; makefile: 48; sh: 11
file content (89 lines) | stat: -rw-r--r-- 2,404 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
 
uid_wrapper(1)
==============
:revdate: 2015-11-03

NAME
----

uid_wrapper - A wrapper to fake privilege separation

SYNOPSIS
--------

LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 *./myapplication*

DESCRIPTION
-----------

- Allows uid switching as a normal user.
- Start any application making it believe it is running as root.
- Support for user/group changing in the local thread using the syscalls (like glibc).
- More precisely this library intercepts seteuid and related calls, and simulates
  them in a manner similar to the nss_wrapper and socket_wrapper libraries.

Some projects like a file server need privilege separation to be able to switch
to the connection user and do file operations. uid_wrapper convincingly lies to
the application letting it believe it is operating as root and even switching
between UIDs and GIDs as needed.

ENVIRONMENT VARIABLES
---------------------

*UID_WRAPPER*::

If you load the uid_wrapper and enable it with setting UID_WRAPPER=1 all setuid
and setgid will work, even as a normal user.

*UID_WRAPPER_ROOT*::

It is possible to start your application as fake root with setting
UID_WRAPPER_ROOT=1.

*UID_WRAPPER_DEBUGLEVEL*::

If you need to see what is going on in uid_wrapper itself or try to find a
bug, you can enable logging support in uid_wrapper if you built it with
debug symbols.

- 0 = ERROR
- 1 = WARNING
- 2 = DEBUG
- 3 = TRACE

*UID_WRAPPER_MYUID*::

This environment variable can be used to tell uid_wrapper to let geteuid()
return the real (instead of the faked) UID of the user who started the process
with uid_wrapper.

--------------------------------------
uid_t uid;

setenv("UID_WRAPPER_MYUID", "1", 1);
uid = geteuid();
unsetenv("UID_WRAPPER_MYUID");
--------------------------------------

EXAMPLE
-------

  $ LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 id
  uid=0(root) gid=0(root) 0(root)

WORKAROUNDS
-----------

If you need to write code that behaves differently depending on whether
uid_wrapper is  enabled or not, for example in cases where you have to file
permissions, you can predefine the uid_wrapper_enabled() function in your
project as follows:

--------------------------------------
bool uid_wrapper_enabled(void)
{
    return false;
}
--------------------------------------

Since uid_wrapper overloads this function if enabled, you can use it in your
code to detect uid_wrapper.