UID_WRAPPER(1)

NAME¶

uid_wrapper - A wrapper to fake privilege separation

SYNOPSIS¶

LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 ./myapplication

DESCRIPTION¶

•Allows uid switching as a normal user.

•Start any application making it believe it is running as root.

•Support for user/group changing in the local thread using the syscalls (like glibc).

•More precisely this library intercepts seteuid and related calls, and simulates them in a manner similar to the nss_wrapper and socket_wrapper libraries.

Some projects like a file server need privilege separation to be able to switch to the connection user and do file operations. uid_wrapper convincingly lies to the application letting it believe it is operating as root and even switching between UIDs and GIDs as needed.

ENVIRONMENT VARIABLES¶

UID_WRAPPER

If you load the uid_wrapper and enable it with setting UID_WRAPPER=1 all setuid and setgid will work, even as a normal user.

UID_WRAPPER_ROOT

It is possible to start your application as fake root with setting UID_WRAPPER_ROOT=1.

UID_WRAPPER_DEBUGLEVEL

If you need to see what is going on in uid_wrapper itself or try to find a bug, you can enable logging support in uid_wrapper if you built it with debug symbols.

•0 = ERROR

•1 = WARNING

•2 = DEBUG

•3 = TRACE

UID_WRAPPER_MYUID

This environment variable can be used to tell uid_wrapper to let geteuid() return the real (instead of the faked) UID of the user who started the process with uid_wrapper.

uid_t uid;
setenv("UID_WRAPPER_MYUID", "1", 1);
uid = geteuid();
unsetenv("UID_WRAPPER_MYUID");

UID_WRAPPER_DISABLE_DEEPBIND

This allows you to disable deep binding in uid_wrapper. This is useful for running valgrind tools or sanitizers like (address, undefined, thread).

EXAMPLE¶

$ LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 id
uid=0(root) gid=0(root) 0(root)

WORKAROUNDS¶

If you need to write code that behaves differently depending on whether uid_wrapper is enabled or not, for example in cases where you have to file permissions, you can predefine the uid_wrapper_enabled() function in your project as follows:

bool uid_wrapper_enabled(void)
{


    return false;
}

Since uid_wrapper overloads this function if enabled, you can use it in your code to detect uid_wrapper.

2015-11-03

Source file:	uid_wrapper.1.en.gz (from libuid-wrapper 1.3.0-4+b1)
Source last updated:	2024-02-10T04:11:04Z
Converted to HTML:	2024-02-10T22:32:18Z