Ubuntu Manpage: priv_wrapper - A library to disable resource limits and other privilege dropping.

Provided by: libpriv-wrapper_1.0.1-4_amd64

NAME

       priv_wrapper - A library to disable resource limits and other privilege dropping.

SYNOPSIS

       LD_PRELOAD=libpriv_wrapper.so PRIV_WRAPPER=1 [PRIV_WRAPPER_CHROOT_DISABLE=1]
       [PRIV_WRAPPER_PRCTL_DISABLE=<options>] [PRIV_WRAPPER_SETRLIMIT_DISABLE=<options>]

DESCRIPTION

       priv_wrapper aims to help running processes which are dropping privileges or are restricting resources in
       test environments. It can disable chroot, prctl, pledge and setrlmit system calls. A disabled call always
       succeeds (i.e. returns 0) and does nothing. The system call pledge exists only on OpenBSD.

ENVIRONMENT VARIABLES

       PRIV_WRAPPER
           This variable activates priv_wrapper when set to 1.

       PRIV_WRAPPER_DISABLE_DEEPBIND
           This allows you to disable deep binding in priv_wrapper. This is useful for running valgrind tools or
           sanitizers like (address, undefined, thread).

       PRIV_WRAPPER_CHROOT_DISABLE
           If this is set to 1 then chroot() system call will be disabled.

       PRIV_WRAPPER_PRCTL_DISABLE
           prctl calls can be disabled using this environment variable. You can either disable all calls using
           PRIV_WRAPPER_PRCTL_DISABLE=ALL or special options using e.g.
           PRIV_WRAPPER_PRCTL_DISABLE=PR_SET_SECCOMP|PR_SET_NO_NEW_PRIVS

       Supported options are:

       PR_SET_SECCOMP PR_SET_NO_NEW_PRIVS PR_SET_DUMPABLE

       PRIV_WRAPPER_SETRLIMIT_DISABLE
           Either all resource limits can be disabled using PRIV_WRAPPER_SETRLIMIT_DISABLE=ALL or you can pick
           specific resources using e.g:

       PRIV_WRAPPER_SETRLIMIT_DISABLE=RLIMIT_STACK|RLIMIT_CORE

       Supported options are:

       RLIMIT_CPU RLIMIT_FSIZE RLIMIT_DATA RLIMIT_STACK RLIMIT_CORE RLIMIT_RSS RLIMIT_NOFILE RLIMIT_AS
       RLIMIT_NPROC RLIMIT_MEMLOCK RLIMIT_LOCKS RLIMIT_SIGPENDING RLIMIT_MSGQUEUE RLIMIT_NICE RLIMIT_RTPRIO
       RLIMIT_RTTIME RLIMIT_NLIMITS

       PRIV_WRAPPER_PLEDGE_DISABLE
           If this is set to 1 then pledge() system call will be disabled.

       PRIV_WRAPPER_DEBUGLEVEL
           If you need to see what is going on in priv_wrapper itself or try to find a bug, you can enable
           logging support in priv_wrapper if you built it with debug symbols.

           •   0 = ERROR

           •   1 = WARNING

           •   2 = DEBUG

           •   3 = TRACE

EXAMPLE

       LD_PRELOAD=libpriv_wrapper.so PRIV_WRAPPER=1
       PRIV_WRAPPER_PRCTL_DISABLE="PR_SET_SECCOMP|PR_SET_NO_NEW_PRIVS"

       LD_PRELOAD=libpriv_wrapper.so PRIV_WRAPPER=1 PRIV_WRAPPER_CHROOT_DISABLE=1 PRIV_WRAPPER_PRCTL_DISABLE=ALL
       PRIV_WRAPPER_SETRLIMIT_DISABLE="RLIMIT_CPU|RLIMIT_DATA|RLIMIT_NLIMITS"

AUTHOR

       Samba Team

                                                   2024-11-06                                    PRIV_WRAPPER(1)