Dreamland

This program executes specified program in a CHROOT environment, with dropped privileges, changed USER and GROUP IDs, to specified ones. Besides it can also impose resource limits, and other nice ( renice :) features. I'm trying to provide ability to drop all kinds of privileges, defined in Linux. If something is missed, you are encouraged to write to szh at 7ka.mipt.ru

  • dreamland.c

    Compilation: gcc dreamland.c -o dreamland

    Designed for Linux 2.2 & 2.4 ;
    Copyright/left Zhitomirsky Sergey , 2000.
    Distributed under GNU General Public License, version 2.
    I call it "root's dreamland" (or "nobody's jail")

    Note: setting capabilities doesn't work because after exec() kernel set UP ALL capabilities again if uid=0 (and clears ALL otherwise)

    OPTIONS

    [ --chroot chroot_dir] chroot to chroot_dir
    [ -u user ] real, effective and saved USER IDs will be set to "user", user may be number or name, default user =99
    [ -g group ] real, effective and saved GROUP IDs will be set to "group", group may be number or name, default group=99
    [ -G additional_group_id ] may be many -G , sets list of supplementary group ID
    [ -E program_to_execute its params] -E must be the last parameter

    [ -n nice ] modify scheduling priority
    [-core max_core_file_size]
    [-nproc max_number_of_child_processes]
    [-cpu max_CPU_time ] CPU time in seconds
    [-rss max_resident_set_size ]
    [-nofile max_number_of_open_files]
    [--version ]
    [--verbose ]
    [-h --help ] print this message
    [-env environment_variable ] may be many -env. Example: -env PATH=/bin:/sbin -env CRACKERS=loosers )
    [--keep-env ] orders to keep all environment variables instead of clearing them
    [--keep_fileids] if --chroot don't specially close open files(but close dirs)
    [--reset-caps ] clear all process capabilities (NOT supported by kernel!)
    [-cap number_of_capability] may be several -cap ; (NOT supported by kernel!)
    Note: setting capabilities doesn't work because after exec() kernel set UP ALL capabilities again if uid=0 (and clears ALL otherwise)
    --user is alias to -u , --group to -g

    USAGE EXAMPLE:

    /sbin/dreamland -u nobody -g 66 -G 98 -G floppy --chroot /var/chroot -env PATH=/bin:/sbin -nproc 10 -n 7 -E /sbin/service service_params

    DEFAULTS:

    All process's user IDs=99, group IDs=99, no chroot_dir, if dreamland is run with user id = 0 and no -G options were given,set NULL groups massive all environment variables are reset, and only those given with -env options (if any) are if --chroot - close all opened directories, and files( except stdin,stdout,stderr)