summaryrefslogtreecommitdiffabout
Side-by-side diff
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--execwrap.851
1 files changed, 51 insertions, 0 deletions
diff --git a/execwrap.8 b/execwrap.8
new file mode 100644
index 0000000..9ce5297
--- a/dev/null
+++ b/execwrap.8
@@ -0,0 +1,51 @@
+.\" Hey, EMACS: -*- nroff -*-
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH EXECWRAP 8 "July 8, 2008"
+.\" Please adjust this date whenever revising the manpage.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for manpage-specific macros, see man(7)
+.SH NAME
+execwrap \- a super-user exec wrapper
+.SH ENVIRONMENT
+.IP UID
+The UID to switch to. Only numerical values are accepted currently.
+.IP GID
+The GID to switch to. Only numerical values are accepted currently.
+.IP TARGET
+The target program to start. For security, it must be absolute and
+must not contain any ~ characters or ".." sub-strings. Of course the
+compiled-in prefix must also be a prefix of it.
+.IP CHECK_GID
+If set (to anything, even the empty string), the security checks will
+be slightly relaxed to allow targets owned by the target GID but not
+necessarily by the target UID, as well as allowing the target to be
+group-writable if owned by the target GID. Useful for projects where
+several people collaborate so file ownership can vary.
+.IP NON_RESIDENT
+If set (to anything), the wrapper will drop privileges and become the
+target process directly, instead of the default behaviour where it
+forks off before becoming the target, allowing SIGTERM to propagate
+from the caller of the wrapper, to the target. It is not recommended
+to set this, as it will make it impossible for the caller (usually a
+web-server) to terminate the target process, and thus prevents it
+from effectively managing it.
+.IP DEBUG
+If set (to anything), execwrap will log some debug messages to
+syslog (USE_SYSLOG needs to be enabled at compile time, which is
+the default).
+.SH AUTHOR
+execwrap was written by Sune Foldager.
+.PP
+This manual page was written by Stefan B\"uhler <stbuehler@web.de>,
+for the Debian project (but may be used by others).
generated by cgit v0.8.3.4 at 2012-05-20 20:37:43 (GMT)