Ubuntu Manpage: uid_wrapper - A wrapper to fake privilege separation

Provided by: libuid-wrapper_1.2.4+dfsg1-1_amd64

NAME

       uid_wrapper - A wrapper to fake privilege separation

SYNOPSIS

       LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 ./myapplication

DESCRIPTION

       •   Allows uid switching as a normal user.

       •   Start any application making it believe it is running as root.

       •   Support for user/group changing in the local thread using the syscalls (like glibc).

       •   More precisely this library intercepts seteuid and related calls, and simulates them in a manner
           similar to the nss_wrapper and socket_wrapper libraries.

       Some projects like a file server need privilege separation to be able to switch to the connection user
       and do file operations. uid_wrapper convincingly lies to the application letting it believe it is
       operating as root and even switching between UIDs and GIDs as needed.

ENVIRONMENT VARIABLES

       UID_WRAPPER
           If you load the uid_wrapper and enable it with setting UID_WRAPPER=1 all setuid and setgid will work,
           even as a normal user.

       UID_WRAPPER_ROOT
           It is possible to start your application as fake root with setting UID_WRAPPER_ROOT=1.

       UID_WRAPPER_DEBUGLEVEL
           If you need to see what is going on in uid_wrapper itself or try to find a bug, you can enable
           logging support in uid_wrapper if you built it with debug symbols.

           •   0 = ERROR

           •   1 = WARNING

           •   2 = DEBUG

           •   3 = TRACE

       UID_WRAPPER_MYUID
           This environment variable can be used to tell uid_wrapper to let geteuid() return the real (instead
           of the faked) UID of the user who started the process with uid_wrapper.

           uid_t uid;

           setenv("UID_WRAPPER_MYUID", "1", 1);
           uid = geteuid();
           unsetenv("UID_WRAPPER_MYUID");

EXAMPLE

           $ LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 id
           uid=0(root) gid=0(root) 0(root)

WORKAROUNDS

       If you need to write code that behaves differently depending on whether uid_wrapper is enabled or not,
       for example in cases where you have to file permissions, you can predefine the uid_wrapper_enabled()
       function in your project as follows:

           bool uid_wrapper_enabled(void)
           {
               return false;
           }

       Since uid_wrapper overloads this function if enabled, you can use it in your code to detect uid_wrapper.

                                                   2015-11-03                                     UID_WRAPPER(1)