CHange Runtime User ID

Version 0.5 is out -- Now with jail() support on FreeBSD!

Synopsis

chruid -u <UID> -g <GID> -c <PATH> -x <BIN> -o <OPTION1> -o <OPTION2> -o <OPTIONN> -p -j -n <HOSTNAME> -i <IP>

Description

chruid is a small but flexible replacement for a chroot + su kombo. i wrote it because i was in the need to chroot processes and having them run under a non-privileged uid/gid without having to install su (which would include pam, nss, ... overhead on some systems) in the chroot. All given parameters are optional, if one is omitted the default is used. Defaults are shown when displaying the help using '-h'.

Options

-u <UID>

specifies the UID the program should be run under
-g <GID>

specifies the GID the program should be run under
-c <PATH>

specifies the PATH we shall chroot() to _before_ running BIN
-x <BIN>

specifies the BIN we shall execute
-o <OPTION>

option(s) which should be passed to BIN when executing, '-o <OPTION>' can be specified as often as needed
-p
if this parameter is given, chruid keeps the current environment intact, while otherwise it creates a new, empty one with standard variables.
-j
if this parameter is given on a FreeBSD host, chruid uses jail() (if support is compiled into the binary) to chroot() to the given path and restrict IPC and network system calls to the IP given.
-i <IP>
this parameter specifies the ip certain network system calls are restricted to inside the jail, it has to be specified when -j is given
-n <HOSTNAME>
specifies the hostname inside the jail, it has to specified when -j is given

Examples

chruid -u 2000 -g 1000 -c /www -x /tomcat/bin/tomcat.sh -o start -p
This would chroot() to "/www", set it's UID/GID to 2000/1000, preserves the environment and executes "/tomcat/bin/tomcat.sh" with the option "start".
chruid -u 4000 -g 65535 -c /services/samba -x /rc.d/smbd -o start -j -i samba.foo.bar -i 1.2.3.4
On a FreeBSD host this would jail() to "/services/samba", set it's UID/GID to 4000/65535, create a new default environment and execute "/rc.d/samba" with the option "start" while having the jail restricted to the ip "1.2.3.4"

Download

The current development version is here.

The following snapshots are available:

chruid v0.5

chruid v0.4.1

chruid v0.4

chruid v0.3


dennis at bsdgeek dot net
Last Modified: 200207101200 || This Site was created using vi || 100% lynx-friendly