WROPE(7)                                                              WROPE(7)



NAME
       wrope - extend a wrapped environment to an op escalated process

SYNOPSIS
       wrope  -P  pid  [-C  config]  [-f  file] [-g group] [-R root] [-u user]
       mnemonic program euid:egid cred_type:cred
       wrope -h|-H
       wrope -V

DESCRIPTION
       This jacket allows access from an escalated shell to the client's wrap-
       per diversions.  It does this creating a wrapw(1) diversion that multi-
       plexes the existing diversion stack under a single domain socket,  then
       chowns that socket to the escalated login (and group).

       The  escalated  process is provided with the diversion tableau from the
       new instance of wrapw.  Since the wrapw  process  runs  as  the  client
       login,  in a different session, is it unlikely that the escalated login
       can suborn it.

       Since this program must manage the running diversion process as well as
       the  escalated process, it must be specified as a jacket (rather than a
       helmet).

OPTIONS
       This program takes all the op provided options,  but  actually  doesn't
       look  at  any of them (other than -P).  It does sanity check them, just
       the same.

ENVIRONMENT
       Like any jacket, most of the configuration is passed from  op  via  the
       environment.

       $WROPE_TO=template
              A  template to generate (with mkdtemp(3) and mktemp(3)) a unique
              location  for  the  new  diversion  socket.   The   default   is
              "/tmp/wropeXXXXXX/wp0".  That mocks the location wrapw would use
              enough that new diversions that  nest  under  wrapw  will  still
              work.

       $WROPE_REVEAL=prefix
              The standard reveal logic, see op-jacket(7).

       All  of these are deleted from each wrapw's environment: $IFS, $CDPATH,
       $ENV, $BASH_ENV to prevent perl(1) from refusing to run  any  commands.
       There is no way in the jacket to set them for wrapw.

       Ancestrial  instance  of  wrapw may know the value of other environment
       variables, e.g. those not provided to the escalated  environment.   For
       example, the original $PATH might be recovered with:
              wrapw -1 -WR - |tr '\000' '\n' |grep "^PATH="
       This  does  depend on an existing wrapw diversion in-play before op was
       executed, which usually means you coded a script to make that happen.

EXAMPLES
       These are example from the command-line:

       /usr/local/libexec/jacket/wrope -V
              Output only the version of the program, then exit.

       /usr/local/libexec/jacket/wrope -H
              Output a summary of the environment expected.

       All of these are snips from the op access.cf file.  Note that you  must
       allow  any referenced environment variables into the escalated environ-
       ment, and it is a really good idea to include a $PATH.
       jacket=/usr/local/libexec/jacket/wrope
       environment=^.*_link$,^.*_d$,^.*_[0-9][0-9]*$
       $TERM $TERMCAP $PERP=$l
              This is the most common spell to run this jacket.  It allows all
              well-formed  wrapper variables to be passed to the jacket, which
              replaces them with the mappings  from  wrapw.   This  gives  the
              escalated process access to all in-scope diversions.

       jacket=/usr/local/libexec/jacket/wrope
       environment=^ptbw_,^xclate_,^gtfw_,^sshw_
       $TERM $TERMCAP $PERP=$l
              Allow  only diversions for wrappers we know through to the esca-
              lated process.  To cut off access to  the  original  environment
              don't include any instances of wrapw.

BUGS
       It  might  be  possible  to  trick a wrapper into doing something unex-
       pected, but I've never had a problem with that.

AUTHOR
       K S Braunsdorf, from the Non-Player Character Guild
       op at-not-a-spammer ksb dot npcguild.org.nopinks

SEE ALSO
       op(1l),  op-jacket(7l),   wrapw(1l),   ptbw(1l),   xclate(1l),   proxy-
       agent(7l), hxmd(8l), chown(2)



                                     LOCAL                            WROPE(7)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | ENVIRONMENT | EXAMPLES | BUGS | AUTHOR | SEE ALSO