52 lines
2.2 KiB
Groff
52 lines
2.2 KiB
Groff
.\" Hey, EMACS: -*- nroff -*-
|
|
.\" First parameter, NAME, should be all caps
|
|
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
|
|
.\" other parameters are allowed: see man(7), man(1)
|
|
.TH EXECWRAP 8 "July 8, 2008"
|
|
.\" Please adjust this date whenever revising the manpage.
|
|
.\"
|
|
.\" Some roff macros, for reference:
|
|
.\" .nh disable hyphenation
|
|
.\" .hy enable hyphenation
|
|
.\" .ad l left justify
|
|
.\" .ad b justify to both left and right margins
|
|
.\" .nf disable filling
|
|
.\" .fi enable filling
|
|
.\" .br insert line break
|
|
.\" .sp <n> insert n+1 empty lines
|
|
.\" for manpage-specific macros, see man(7)
|
|
.SH NAME
|
|
execwrap \- a super-user exec wrapper
|
|
.SH ENVIRONMENT
|
|
.IP UID
|
|
The UID to switch to. Only numerical values are accepted currently.
|
|
.IP GID
|
|
The GID to switch to. Only numerical values are accepted currently.
|
|
.IP TARGET
|
|
The target program to start. For security, it must be absolute and
|
|
must not contain any ~ characters or ".." sub-strings. Of course the
|
|
compiled-in prefix must also be a prefix of it.
|
|
.IP CHECK_GID
|
|
If set (to anything, even the empty string), the security checks will
|
|
be slightly relaxed to allow targets owned by the target GID but not
|
|
necessarily by the target UID, as well as allowing the target to be
|
|
group-writable if owned by the target GID. Useful for projects where
|
|
several people collaborate so file ownership can vary.
|
|
.IP NON_RESIDENT
|
|
If set (to anything), the wrapper will drop privileges and become the
|
|
target process directly, instead of the default behaviour where it
|
|
forks off before becoming the target, allowing SIGTERM to propagate
|
|
from the caller of the wrapper, to the target. It is not recommended
|
|
to set this, as it will make it impossible for the caller (usually a
|
|
web-server) to terminate the target process, and thus prevents it
|
|
from effectively managing it.
|
|
.IP DEBUG
|
|
If set (to anything), execwrap will log some debug messages to
|
|
syslog (USE_SYSLOG needs to be enabled at compile time, which is
|
|
the default).
|
|
.SH AUTHOR
|
|
execwrap was written by Sune Foldager.
|
|
.PP
|
|
This manual page was written by Stefan B\"uhler <stbuehler@web.de>,
|
|
for the Debian project (but may be used by others).
|