Ubuntu Manpage: uid_wrapper - A wrapper to fake privilege separation

Provided by: libuid-wrapper_1.3.0-3_amd64

NAME

       uid_wrapper - A wrapper to fake privilege separation

SYNOPSIS

       LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 ./myapplication

DESCRIPTION

       •   Allows uid switching as a normal user.

       •   Start any application making it believe it is running as root.

       •   Support for user/group changing in the local thread using the syscalls (like glibc).

       •   More precisely this library intercepts seteuid and related calls, and simulates them
           in a manner similar to the nss_wrapper and socket_wrapper libraries.

       Some projects like a file server need privilege separation to be able to switch to the
       connection user and do file operations. uid_wrapper convincingly lies to the application
       letting it believe it is operating as root and even switching between UIDs and GIDs as
       needed.

ENVIRONMENT VARIABLES

       UID_WRAPPER
           If you load the uid_wrapper and enable it with setting UID_WRAPPER=1 all setuid and
           setgid will work, even as a normal user.

       UID_WRAPPER_ROOT
           It is possible to start your application as fake root with setting UID_WRAPPER_ROOT=1.

       UID_WRAPPER_DEBUGLEVEL
           If you need to see what is going on in uid_wrapper itself or try to find a bug, you
           can enable logging support in uid_wrapper if you built it with debug symbols.

           •   0 = ERROR

           •   1 = WARNING

           •   2 = DEBUG

           •   3 = TRACE

       UID_WRAPPER_MYUID
           This environment variable can be used to tell uid_wrapper to let geteuid() return the
           real (instead of the faked) UID of the user who started the process with uid_wrapper.

           uid_t uid;

           setenv("UID_WRAPPER_MYUID", "1", 1);
           uid = geteuid();
           unsetenv("UID_WRAPPER_MYUID");

       UID_WRAPPER_DISABLE_DEEPBIND
           This allows you to disable deep binding in uid_wrapper. This is useful for running
           valgrind tools or sanitizers like (address, undefined, thread).

EXAMPLE

           $ LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 id
           uid=0(root) gid=0(root) 0(root)

WORKAROUNDS

       If you need to write code that behaves differently depending on whether uid_wrapper is
       enabled or not, for example in cases where you have to file permissions, you can predefine
       the uid_wrapper_enabled() function in your project as follows:

           bool uid_wrapper_enabled(void)
           {
               return false;
           }

       Since uid_wrapper overloads this function if enabled, you can use it in your code to
       detect uid_wrapper.

                                            2015-11-03                             UID_WRAPPER(1)