[SCM] UID Wrapper Repository - branch master updated

Mon Jul 14 09:02:10 MDT 2014

The branch, master has been updated
       via  6e1a69f doc: Add a manpage for uid_wrapper.
      from  80932d7 uwrap: Add logging if uwrap is enabled correctly.

http://gitweb.samba.org/?p=uid_wrapper.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 6e1a69f52c1a5de968f0bc38af71ee99c1297021
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Jul 10 17:09:50 2014 +0200

    doc: Add a manpage for uid_wrapper.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 CMakeLists.txt        |    2 +
 README                |   46 +++++----------
 doc/CMakeLists.txt    |    4 +
 doc/README            |    3 +
 doc/uid_wrapper.1     |  153 +++++++++++++++++++++++++++++++++++++++++++++++++
 doc/uid_wrapper.1.txt |   56 ++++++++++++++++++
 6 files changed, 232 insertions(+), 32 deletions(-)
 create mode 100644 doc/CMakeLists.txt
 create mode 100644 doc/README
 create mode 100644 doc/uid_wrapper.1
 create mode 100644 doc/uid_wrapper.1.txt


Changeset truncated at 500 lines:

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 80fcaf1..af76cb8 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -81,3 +81,5 @@ install(
     COMPONENT
         devel
 )
+
+add_subdirectory(doc)
diff --git a/README b/README
index 6f19b38..764fd36 100644
--- a/README
+++ b/README
@@ -1,42 +1,24 @@
-UID wrapper library
-====================
+UID_WRAPPER
+===========
 
-Privilege separation - Some projects like a file server need privilege
-separation to be able to switch to the connnection user and do file operations.
-uid_wrapper convincingly lies to the application letting it believe it is
-operating as root and even switching betwen uids and gids as needed.
+This is a wrapper for the user, group and hosts NSS API.
 
-More precise this library intercepts seteuid and related calls, and simulates
-them in a manner similar to the nss_wrapper and socket_wrapper libraries.
+DESCRIPTION
+-----------
 
-This allows you to do user switching when testing e.g. file servers.
+More details can be found in the manpage:
 
-To use it set the following environment variables:
+  man -l ./doc/uid_wrapper.1
 
-LD_PRELOAD=libuid_wrapper.so
-UID_WRAPPER=1
+or the raw text version:
 
-If you unset the variable or set it to 0 you can disable uwrap even if it is
-loaded. If you need the application to think it is root at startup you can set:
+  less ./doc/uid_wrapper.1.txt
 
-UID_WRAPPER_ROOT=1
+For installation instructions please take a look at the README.install file.
 
-If you set the environment variable to UID_WRAPPER_MYUID=1 before you call
-geteuid() then it will return the real uid.
+MAILINGLIST
+-----------
 
-To find out if uid_wrapper is enabled, we suggest to implment the following
-function in a library your application loads:
+As the mailing list samba-technical is used and can be found here:
 
-int uid_wrapper_enabled(void)
-{
-    return 0;
-}
-
-Then you can use:
-
-if (uid_wrapper_enabled()) {
-    /* special uid_wrapper handling code */
-}
-
-uid_wrapper implements this funciton too and it will be loaded before your
-library gets loaded.
+https://lists.samba.org/mailman/listinfo/samba-technical
diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
new file mode 100644
index 0000000..7ce0e22
--- /dev/null
+++ b/doc/CMakeLists.txt
@@ -0,0 +1,4 @@
+install(FILES
+            uid_wrapper.1
+        DESTINATION
+            ${MAN_INSTALL_DIR}/man1)
diff --git a/doc/README b/doc/README
new file mode 100644
index 0000000..c97ae11
--- /dev/null
+++ b/doc/README
@@ -0,0 +1,3 @@
+The manpage is written with asciidoc. To generate the manpage use:
+
+a2x --doctype manpage --format manpage doc/uid_wrapper.1.txt
diff --git a/doc/uid_wrapper.1 b/doc/uid_wrapper.1
new file mode 100644
index 0000000..f6ff0df
--- /dev/null
+++ b/doc/uid_wrapper.1
@@ -0,0 +1,153 @@
+'\" t
+.\"     Title: uid_wrapper
+.\"    Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 07/11/2014
+.\"    Manual: \ \&
+.\"    Source: \ \&
+.\"  Language: English
+.\"
+.TH "UID_WRAPPER" "1" "07/11/2014" "\ \&" "\ \&"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+uid_wrapper \- A wrapper to fake privilege separation
+.SH "SYNOPSIS"
+.sp
+LD_PRELOAD=libuid_wrapper\&.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 \fB\&./myapplication\fR
+.SH "DESCRIPTION"
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Allows uid switching as a normal user\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Start any application making it believe it is running as root\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Support for user/group changing in the local thread using the syscalls (like glibc)\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+More precisely this library intercepts seteuid and related calls, and simulates them in a manner similar to the nss_wrapper and socket_wrapper libraries\&.
+.RE
+.sp
+Some projects like a file server need privilege separation to be able to switch to the connection user and do file operations\&. uid_wrapper convincingly lies to the application letting it believe it is operating as root and even switching between UIDs and GIDs as needed\&.
+.SH "ENVIRONMENT VARIABLES"
+.PP
+\fBUID_WRAPPER\fR
+.RS 4
+If you load the uid_wrapper and enable it with setting UID_WRAPPER=1 all setuid and setgid will work, even as a normal user\&.
+.RE
+.PP
+\fBUID_WRAPPER_ROOT\fR
+.RS 4
+It is possible to start your application as fake root with setting UID_WRAPPER_ROOT=1\&.
+.RE
+.PP
+\fBUID_WRAPPER_DEBUGLEVEL\fR
+.RS 4
+If you need to see what is going on in uid_wrapper itself or try to find a bug, you can enable logging support in uid_wrapper if you built it with debug symbols\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+0 = ERROR
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+1 = WARNING
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+2 = DEBUG
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+3 = TRACE
+.RE
+.RE
+.SH "EXAMPLE"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+$ LD_PRELOAD=libuid_wrapper\&.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 id
+uid=0(root) gid=0(root) groups=100(users),0(root)
+.fi
+.if n \{\
+.RE
+.\}
diff --git a/doc/uid_wrapper.1.txt b/doc/uid_wrapper.1.txt
new file mode 100644
index 0000000..51cdb73
--- /dev/null
+++ b/doc/uid_wrapper.1.txt
@@ -0,0 +1,56 @@
+uid_wrapper(1)
+==============
+
+NAME
+----
+
+uid_wrapper - A wrapper to fake privilege separation
+
+SYNOPSIS
+--------
+
+LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 *./myapplication*
+
+DESCRIPTION
+-----------
+
+- Allows uid switching as a normal user.
+- Start any application making it believe it is running as root.
+- Support for user/group changing in the local thread using the syscalls (like glibc).
+- More precisely this library intercepts seteuid and related calls, and simulates
+  them in a manner similar to the nss_wrapper and socket_wrapper libraries.
+
+Some projects like a file server need privilege separation to be able to switch
+to the connection user and do file operations. uid_wrapper convincingly lies to
+the application letting it believe it is operating as root and even switching
+between UIDs and GIDs as needed.
+
+ENVIRONMENT VARIABLES
+---------------------
+
+*UID_WRAPPER*::
+
+If you load the uid_wrapper and enable it with setting UID_WRAPPER=1 all setuid
+and setgid will work, even as a normal user.
+
+*UID_WRAPPER_ROOT*::
+
+It is possible to start your application as fake root with setting
+UID_WRAPPER_ROOT=1.
+
+*UID_WRAPPER_DEBUGLEVEL*::
+
+If you need to see what is going on in uid_wrapper itself or try to find a
+bug, you can enable logging support in uid_wrapper if you built it with
+debug symbols.
+
+- 0 = ERROR
+- 1 = WARNING
+- 2 = DEBUG
+- 3 = TRACE
+
+EXAMPLE
+-------
+
+  $ LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 id
+  uid=0(root) gid=0(root) groups=100(users),0(root)


-- 
UID Wrapper Repository
