diff --git a/execwrap.8 b/execwrap.8 new file mode 100644 index 0000000..9ce5297 --- /dev/null +++ b/execwrap.8 @@ -0,0 +1,51 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH EXECWRAP 8 "July 8, 2008" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +execwrap \- a super-user exec wrapper +.SH ENVIRONMENT +.IP UID +The UID to switch to. Only numerical values are accepted currently. +.IP GID +The GID to switch to. Only numerical values are accepted currently. +.IP TARGET +The target program to start. For security, it must be absolute and +must not contain any ~ characters or ".." sub-strings. Of course the +compiled-in prefix must also be a prefix of it. +.IP CHECK_GID +If set (to anything, even the empty string), the security checks will +be slightly relaxed to allow targets owned by the target GID but not +necessarily by the target UID, as well as allowing the target to be +group-writable if owned by the target GID. Useful for projects where +several people collaborate so file ownership can vary. +.IP NON_RESIDENT +If set (to anything), the wrapper will drop privileges and become the +target process directly, instead of the default behaviour where it +forks off before becoming the target, allowing SIGTERM to propagate +from the caller of the wrapper, to the target. It is not recommended +to set this, as it will make it impossible for the caller (usually a +web-server) to terminate the target process, and thus prevents it +from effectively managing it. +.IP DEBUG +If set (to anything), execwrap will log some debug messages to +syslog (USE_SYSLOG needs to be enabled at compile time, which is +the default). +.SH AUTHOR +execwrap was written by Sune Foldager. +.PP +This manual page was written by Stefan B\"uhler , +for the Debian project (but may be used by others).