1PRIV_WRAPPER(1)                                                PRIV_WRAPPER(1)
2
3
4

NAME

6       priv_wrapper - A library to disable resource limits and other
7       priviledge dropping.
8

SYNOPSIS

10       LD_PRELOAD=libpriv_wrapper.so PRIV_WRAPPER=1
11       [PRIV_WRAPPER_CHROOT_DISABLE=1] [PRIV_WRAPPER_PRCTL_DISABLE=<options>]
12       [PRIV_WRAPPER_SETRLIMIT_DISABLE=<options>]
13

DESCRIPTION

15       priv_wrapper aims to help running processes which are dropping
16       privileges or are restricting resources in test environments. It can
17       disable chroot, prctl, pledge and setrlmit system calls. A disabled
18       call always succeeds (i.e. returns 0) and does nothing. The system call
19       pledge exists only on OpenBSD.
20

ENVIRONMENT VARIABLES

22       PRIV_WRAPPER
23           This variable activates priv_wrapper when set to 1.
24
25       PRIV_WRAPPER_DISABLE_DEEPBIND
26           This allows you to disable deep binding in priv_wrapper. This is
27           useful for running valgrind tools or sanitizers like (address,
28           undefined, thread).
29
30       PRIV_WRAPPER_CHROOT_DISABLE
31           If this is set to 1 then chroot() system call will be disabled.
32
33       PRIV_WRAPPER_PRCTL_DISABLE
34           prctl calls can be disabled using this environment variable. You
35           can either disable all calls using PRIV_WRAPPER_PRCTL_DISABLE=ALL
36           or special options using e.g.
37           PRIV_WRAPPER_PRCTL_DISABLE=PR_SET_SECCOMP|PR_SET_NO_NEW_PRIVS
38
39       Supported options are:
40
41       PR_SET_SECCOMP PR_SET_NO_NEW_PRIVS PR_SET_DUMPABLE
42
43       PRIV_WRAPPER_SETRLIMIT_DISABLE
44           Either all resource limits can be disabled using
45           PRIV_WRAPPER_SETRLIMIT_DISABLE=ALL or you can pick specific
46           resources using e.g:
47
48       PRIV_WRAPPER_SETRLIMIT_DISABLE=RLIMIT_STACK|RLIMIT_CORE
49
50       Supported options are:
51
52       RLIMIT_CPU RLIMIT_FSIZE RLIMIT_DATA RLIMIT_STACK RLIMIT_CORE RLIMIT_RSS
53       RLIMIT_NOFILE RLIMIT_AS RLIMIT_NPROC RLIMIT_MEMLOCK RLIMIT_LOCKS
54       RLIMIT_SIGPENDING RLIMIT_MSGQUEUE RLIMIT_NICE RLIMIT_RTPRIO
55       RLIMIT_RTTIME RLIMIT_NLIMITS
56
57       PRIV_WRAPPER_PLEDGE_DISABLE
58           If this is set to 1 then pledge() system call will be disabled.
59
60       PRIV_WRAPPER_DEBUGLEVEL
61           If you need to see what is going on in priv_wrapper itself or try
62           to find a bug, you can enable logging support in priv_wrapper if
63           you built it with debug symbols.
64
65           •   0 = ERROR
66
67           •   1 = WARNING
68
69           •   2 = DEBUG
70
71           •   3 = TRACE
72

EXAMPLE

74       LD_PRELOAD=libpriv_wrapper.so PRIV_WRAPPER=1
75       PRIV_WRAPPER_PRCTL_DISABLE="PR_SET_SECCOMP|PR_SET_NO_NEW_PRIVS"
76
77       LD_PRELOAD=libpriv_wrapper.so PRIV_WRAPPER=1
78       PRIV_WRAPPER_CHROOT_DISABLE=1 PRIV_WRAPPER_PRCTL_DISABLE=ALL
79       PRIV_WRAPPER_SETRLIMIT_DISABLE="RLIMIT_CPU|RLIMIT_DATA|RLIMIT_NLIMITS"
80

AUTHOR

82       Samba Team
83
84
85
86                                  2022-09-14                   PRIV_WRAPPER(1)
Impressum