stbuehler/execwrap
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Manpage

Browse Source
This commit is contained in:
Stefan Bühler 2009-10-23 10:34:43 +02:00
parent a65ce431b9
commit 2daef420a2
1 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
execwrap.8 Normal file
View File

@ -0,0 +1,51 @@
.\" Hey, EMACS: -*- nroff -*-
.\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1)
.TH EXECWRAP 8 "July 8, 2008"
.\" Please adjust this date whenever revising the manpage.
.\"
.\" Some roff macros, for reference:
.\" .nh disable hyphenation
.\" .hy enable hyphenation
.\" .ad l left justify
.\" .ad b justify to both left and right margins
.\" .nf disable filling
.\" .fi enable filling
.\" .br insert line break
.\" .sp <n> insert n+1 empty lines
.\" for manpage-specific macros, see man(7)
.SH NAME
execwrap \- a super-user exec wrapper
.SH ENVIRONMENT
.IP UID
The UID to switch to. Only numerical values are accepted currently.
.IP GID
The GID to switch to. Only numerical values are accepted currently.
.IP TARGET
The target program to start. For security, it must be absolute and
must not contain any ~ characters or ".." sub-strings. Of course the
compiled-in prefix must also be a prefix of it.
.IP CHECK_GID
If set (to anything, even the empty string), the security checks will
be slightly relaxed to allow targets owned by the target GID but not
necessarily by the target UID, as well as allowing the target to be
group-writable if owned by the target GID. Useful for projects where
several people collaborate so file ownership can vary.
.IP NON_RESIDENT
If set (to anything), the wrapper will drop privileges and become the
target process directly, instead of the default behaviour where it
forks off before becoming the target, allowing SIGTERM to propagate
from the caller of the wrapper, to the target. It is not recommended
to set this, as it will make it impossible for the caller (usually a
web-server) to terminate the target process, and thus prevents it
from effectively managing it.
.IP DEBUG
If set (to anything), execwrap will log some debug messages to
syslog (USE_SYSLOG needs to be enabled at compile time, which is
the default).
.SH AUTHOR
execwrap was written by Sune Foldager.
.PP
This manual page was written by Stefan B\"uhler <stbuehler@web.de>,
for the Debian project (but may be used by others).