shwrap - a shell wrapper

shwrap can be used as a "shell wrapper" for running commands in a safe mode. It can be configured to call another program, after verifying that the command line matches a particular regular expression. It can also change the working directory, perform a chroot(), set UID/GID and set environment variables automatically.

Typical usage is as a wrapper for PHP:s system() and exec(), to limit what can be called using those functions.

The program is intended to be renamed to the actual command it is supposed to protect, after renaming the original command to something else. shwrap reads a configuration file from a predefined location (default /usr/local/etc/shwrap.conf. The configuration will be used for all instances of shwrap, and can specify the behaviour for each instance.

The configuration file (please refer to the sample included in the archive for examples) contains stanzas of type program, pattern and environment. pattern is used for pattern matching, and environment specifies a number of environment variables. Both of those are referenced from the program configurations.

A program stanza is identified by the program name - argv[0] in the command. The exact format of this depends on the caller, so you may have to experiment.

Once the actual program is identified, shwrap will look at any cmd_patterns defined for the program. If any of them match the command line, the command is accepted. If there are chroot, wdir, setuid, setgid or environment attributes defined, they will be handled first, then the real_program will be called with the remaining command-line arguments.

shwrap-3.3.tar.gz64.77 KB