NAME
fakeroot-ng - run a command while making it believe it is running as
root
SYNOPSIS
fakeroot-ng [ -llogfile [-f] ] [ -ppersist_file ] [-d] command line
DESCRIPTION
This manual page documents the fakeroot-ng command.
Fakeroot-ng allows running a process without any change to the
permissions, but fooling the process into thinking that it is running
with root permissions. This typically involves intercepting certain
system calls the process performs and manipulating their results. In
order for the effect to be complete enough, previous manipulations have
to be remembered, and consistent results returned.
The idea behind fakroot-ng was first implemented by a tool called
fakeroot(1). This tool used LD_PRELOAD of the dynamic linking to glibc
in order to intercept the system calls. While this approach is very
rebust and very platform independent, it does suffer in scope. In
particular, certain operations (mostly the open(2) system call) could
not be intercepted, which caused emulating other operations (mainly the
chroot(2) system call) to not be supported.
Fakeroot-ng strives to fill those gaps by using a totally different
technology for system call interception. Instead of using LD_PRELOAD,
ptrace(2) is being used.
PARAMETERS
-pstate_file
Before the first process is being run, loads from state_file the
information needed in order to maintain a consistent view of
file permissions and owners across fakeroot-ng runs. This image
is also automatically saved when the last process exists. If
more then one instance of fakeroot-ng is loaded simultaneously,
both with the same state_file, then the two instances will share
state and their processes will see the same picture at runtime.
-llog_file
Causes fakeroot-ng to dump to log_file internal state and
processing information. This is mostly useful for cases where
fakeroot-ng fails to act as expected.
-f Causes the log file to be flushed after every print. Guarantees
that the important hint as to why the crash happened will be in
the actual file, but has non-negligent performance effect. Only
has effect if -l is specified.
-d Tells fakeroot-ng not to completely daemonize itself. This is
mostly useful in case of crashes that cause a core dump, as the
debugger would normally change directory to root, which would
prevent a core file from being created.
-v Print out the version number and copyright info and exit without
doing anything.
SIGNALS
Sending the ALRM signal to the fakeroot-ng master process makes it dump
to the log a complete list of all tracked processes, along with their
parent and current state. This is, mostly, a debugging feature. The
signal does nothing if -l is not active.
ENVIRONMENT VARIABLES AND SHARED MEMORY
Some of the communication between fakeroot-ng and the program being
fooled is done through a shared memory mechanism. In order to create
it, fakeroot-ng creates a temporary file and maps it into memory as
executable segment. Some systems have their /tmp folder mounted with
the noexec flag. On those system, the mmap will fail and fakeroot-ng
will not run.
There are two environment variables that allow fakeroot-ng to find a
folder in which the shared memory files can be created. The first is
TMPDIR. If it exists, fakeroot-ng will use it to create the temporary
files, rather than /tmp. The problem with using TMPDIR for creating
temporary files is that fakeroot-ng is not the only one to use it. For
that reason, if the environment has a variable called FAEKROOT_TMPDIR,
its value will override that of either TMPDIR or the default /tmp
directory.
On Linux, it is usually entirely safe to point FAKEROOT_TMPDIR to
/dev/shm, which usually lives up to expectations regarding mount mode
and writability.
SECURITY CONSIDERATIONS
Fakeroot-ng is a non-SUID executable, and does not modify any sensitive
data. It, therefor, does not affect the overall security of the system.
One may be tempted, however, to use fakeroot-ng as a security tool, for
running processes with reduced privileges or inside a chroot jail. In
addition to all the warnings that usually apply to using chroot jails
as a security tool (in a nutshell - don’t), the following should be
understood.
Unlike previous implementations, fakeroot-ng uses a technology that
leaves the traced process no choice regarding whether it will use
fakeroot-ng’s "services" or not. Compiling a program statically,
directly calling the kernel and manipulating ones own address space are
all techniques that can be trivially used to bypass LD_PRELOAD based
control over a process, and do not apply to fakeroot-ng. It is,
theoretically, possible to mold fakeroot-ng in such a way as to have
total control over the traced process.
While it is theoretically possible, it has not been done. Fakeroot-ng
does assume certain "nicely behaved" assumptions about the process
being traced, and a process that break those assumptions may be able
to, if not totally escape then at least circumvent some of the "fake"
environment imposed on it by fakeroot-ng. As such, you are strongly
warned against using fakeroot-ng as a security tool. Bug reports that
claim that a process can deliberatly (as opposed to inadvertly) escape
fakeroot-ng’s control will either be closed as "not a bug" or marked as
low priority.
It is possible that this policy be rethought in the future. For the
time being, however, you have been warned.
BUGS
Plenty of those. See the "README" file for a list of known ones.
SEE ALSO
fakeroot(1), fakechroot(1), ptrace(2), ld.so(8), chroot(1)
AUTHOR
Fakeroot-ng was written by Shachar Shemesh.
This manual page was written by Shachar Shemesh <shachar@debian.org>
PROJECT HOMEPAGE AND SUPPORT
http://sourceforge.net/projects/fakerootng
Community support is available through the project’s mailing list, at
https://lists.sourceforge.net/lists/listinfo/fakerootng-devel.
Commercial support is available through Shachar’s company, Lingnu Open
Source Consulting Ltd., at http://www.lingnu.com