fakeroot-ng - run a command while making it believe it is running as root
[ -llogfile [-f] ] [
-p persist_file ] [-d] command line
This manual page documents the fakeroot-ng
Fakeroot-ng allows running a process without any change to the permissions, but
fooling the process into thinking that it is running with root permissions.
This typically involves intercepting certain system calls the process performs
and manipulating their results. In order for the effect to be complete enough,
previous manipulations have to be remembered, and consistent results returned.
The idea behind fakroot-ng was first implemented by a tool called fakeroot(1).
This tool used LD_PRELOAD of the dynamic linking to glibc in order to
intercept the system calls. While this approach is very rebust and very
platform independent, it does suffer in scope. In particular, certain
operations (mostly the open(2) system call) could not be intercepted, which
caused emulating other operations (mainly the chroot(2) system call) to not be
Fakeroot-ng strives to fill those gaps by using a totally different technology
for system call interception. Instead of using LD_PRELOAD, ptrace(2) is being
- Before the first process is being run, loads from
state_file the information needed in order to maintain a consistent
view of file permissions and owners across fakeroot-ng runs. This image is
also automatically saved when the last process exists. If more then one
instance of fakeroot-ng is loaded simultaneously, both with the same
state_file, then the two instances will share state and their
processes will see the same picture at runtime.
- Causes fakeroot-ng to dump to log_file internal
state and processing information. This is mostly useful for cases where
fakeroot-ng fails to act as expected.
- Causes the log file to be flushed after every print.
Guarantees that the important hint as to why the crash happened will be in
the actual file, but has non-negligent performance effect. Only has effect
if -l is specified.
- Tells fakeroot-ng not to completely daemonize itself. This
is mostly useful in case of crashes that cause a core dump, as the
debugger would normally change directory to root, which would prevent a
core file from being created.
- Print out the version number and copyright info and exit
without doing anything.
- Print out a short help screen and exit.
Sending the ALRM signal to the fakeroot-ng master process makes it dump to the
log a complete list of all tracked processes, along with their parent and
current state. This is, mostly, a debugging feature. The signal does nothing
is not active. Please note that no process executes any system
calls while this takes place, so this feature essentially freezes all of the
debugged processes for a few seconds.
Some of the communication between fakeroot-ng and the program being fooled is
done through a shared memory mechanism. In order to create it, fakeroot-ng
creates a temporary file and maps it into memory as executable segment. Some
systems have their /tmp folder mounted with the noexec
flag. On those
system, the mmap will fail and fakeroot-ng will not run.
There are two environment variables that allow fakeroot-ng to find a folder in
which the shared memory files can be created. The first is TMPDIR
it exists, fakeroot-ng will use it to create the temporary files, rather than
/tmp. The problem with using TMPDIR
for creating temporary files is
that fakeroot-ng is not the only one to use it. For that reason, if the
environment has a variable called FAEKROOT_TMPDIR
, its value will
override that of either TMPDIR
or the default /tmp directory.
On Linux, it is usually entirely safe to point FAKEROOT_TMPDIR
, which usually lives up to expectations regarding mount mode
Fakeroot-ng is a non-SUID executable, and does not modify any sensitive data.
It, therefor, does not affect the overall security of the system. One may be
tempted, however, to use fakeroot-ng as a security tool, for running processes
with reduced privileges or inside a chroot jail. In addition to all the
warnings that usually apply to using chroot jails as a security tool (in a
nutshell - don't), the following should be understood.
Unlike previous implementations, fakeroot-ng uses a technology that leaves the
traced process no choice regarding whether it will use fakeroot-ng's
"services" or not. Compiling a program statically, directly calling
the kernel and manipulating ones own address space are all techniques that can
be trivially used to bypass LD_PRELOAD based control over a process, and do
not apply to fakeroot-ng. It is, theoretically, possible to mold fakeroot-ng
in such a way as to have total control over the traced process.
While it is theoretically possible, it has not been done. Fakeroot-ng does
assume certain "nicely behaved" assumptions about the process being
traced, and a process that break those assumptions may be able to, if not
totally escape then at least circumvent some of the "fake"
environment imposed on it by fakeroot-ng. As such, you are strongly warned
against using fakeroot-ng as a security tool. Bug reports that claim that a
process can deliberatly (as opposed to inadvertly) escape fakeroot-ng's
control will either be closed as "not a bug" or marked as low
It is possible that this policy be rethought in the future. For the time being,
however, you have been warned.
Plenty of those. See the "README" file for a list of known ones.
Fakeroot-ng was written by Shachar Shemesh.
This manual page was written by Shachar Shemesh <email@example.com>
Community support is available exclusively through the project's mailing list,
Commercial support is available through Shachar's company, Lingnu Open Source
Consulting Ltd., at http://www.lingnu.com