uid_wrapper(1)

1UID_WRAPPER(1)                                                  UID_WRAPPER(1)
2
3
4

NAME

6       uid_wrapper - A wrapper to fake privilege separation
7

SYNOPSIS

9       LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1
10       ./myapplication
11

DESCRIPTION

13       ·   Allows uid switching as a normal user.
14
15       ·   Start any application making it believe it is running as root.
16
17       ·   Support for user/group changing in the local thread using the
18           syscalls (like glibc).
19
20       ·   More precisely this library intercepts seteuid and related calls,
21           and simulates them in a manner similar to the nss_wrapper and
22           socket_wrapper libraries.
23
24       Some projects like a file server need privilege separation to be able
25       to switch to the connection user and do file operations. uid_wrapper
26       convincingly lies to the application letting it believe it is operating
27       as root and even switching between UIDs and GIDs as needed.
28

ENVIRONMENT VARIABLES

30       UID_WRAPPER
31           If you load the uid_wrapper and enable it with setting
32           UID_WRAPPER=1 all setuid and setgid will work, even as a normal
33           user.
34
35       UID_WRAPPER_ROOT
36           It is possible to start your application as fake root with setting
37           UID_WRAPPER_ROOT=1.
38
39       UID_WRAPPER_DEBUGLEVEL
40           If you need to see what is going on in uid_wrapper itself or try to
41           find a bug, you can enable logging support in uid_wrapper if you
42           built it with debug symbols.
43
44           ·   0 = ERROR
45
46           ·   1 = WARNING
47
48           ·   2 = DEBUG
49
50           ·   3 = TRACE
51
52       UID_WRAPPER_MYUID
53           This environment variable can be used to tell uid_wrapper to let
54           geteuid() return the real (instead of the faked) UID of the user
55           who started the process with uid_wrapper.
56
57           uid_t uid;
58
59           setenv("UID_WRAPPER_MYUID", "1", 1);
60           uid = geteuid();
61           unsetenv("UID_WRAPPER_MYUID");
62
63       UID_WRAPPER_DISABLE_DEEPBIND
64           This allows you to disable deep binding in uid_wrapper. This is
65           useful for running valgrind tools or sanitizers like (address,
66           undefined, thread).
67

EXAMPLE

69           $ LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 id
70           uid=0(root) gid=0(root) 0(root)
71

WORKAROUNDS

73       If you need to write code that behaves differently depending on whether
74       uid_wrapper is enabled or not, for example in cases where you have to
75       file permissions, you can predefine the uid_wrapper_enabled() function
76       in your project as follows:
77
78           bool uid_wrapper_enabled(void)
79           {
80               return false;
81           }
82
83       Since uid_wrapper overloads this function if enabled, you can use it in
84       your code to detect uid_wrapper.
85
86
87
88                                  2015-11-03                    UID_WRAPPER(1)