230 lines
7.3 KiB
XML
230 lines
7.3 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!--
|
|
Copyright (c) 1996 , Marek Michałkiewicz
|
|
Copyright (c) 2001 - 2006, Tomasz Kłoczko
|
|
All rights reserved.
|
|
|
|
Redistribution and use in source and binary forms, with or without
|
|
modification, are permitted provided that the following conditions
|
|
are met:
|
|
1. Redistributions of source code must retain the above copyright
|
|
notice, this list of conditions and the following disclaimer.
|
|
2. Redistributions in binary form must reproduce the above copyright
|
|
notice, this list of conditions and the following disclaimer in the
|
|
documentation and/or other materials provided with the distribution.
|
|
3. The name of the copyright holders or contributors may not be used to
|
|
endorse or promote products derived from this software without
|
|
specific prior written permission.
|
|
|
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
-->
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!-- SHADOW-CONFIG-HERE -->
|
|
]>
|
|
<refentry id='suauth.5'>
|
|
<!-- $Id$ -->
|
|
<refentryinfo>
|
|
<author>
|
|
<firstname>Marek</firstname>
|
|
<surname>Michałkiewicz</surname>
|
|
<contrib>Creation, 1996</contrib>
|
|
</author>
|
|
<author>
|
|
<firstname>Thomas</firstname>
|
|
<surname>Kłoczko</surname>
|
|
<email>kloczek@pld.org.pl</email>
|
|
<contrib>shadow-utils maintainer, 2000 - 2007</contrib>
|
|
</author>
|
|
<author>
|
|
<firstname>Nicolas</firstname>
|
|
<surname>François</surname>
|
|
<email>nicolas.francois@centraliens.net</email>
|
|
<contrib>shadow-utils maintainer, 2007 - now</contrib>
|
|
</author>
|
|
</refentryinfo>
|
|
<refmeta>
|
|
<refentrytitle>suauth</refentrytitle>
|
|
<manvolnum>5</manvolnum>
|
|
<refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
|
|
<refmiscinfo class="source">shadow-utils</refmiscinfo>
|
|
<refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
|
|
</refmeta>
|
|
<refnamediv id='name'>
|
|
<refname>suauth</refname>
|
|
<refpurpose>detailed su control file</refpurpose>
|
|
</refnamediv>
|
|
<!-- body begins here -->
|
|
<refsynopsisdiv id='synopsis'>
|
|
<cmdsynopsis>
|
|
<command>/etc/suauth</command>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1 id='description'>
|
|
<title>DESCRIPTION</title>
|
|
<para>
|
|
The file <filename>/etc/suauth</filename> is referenced whenever the
|
|
su command is called. It can change the behaviour of the su command,
|
|
based upon:
|
|
</para>
|
|
|
|
<!-- .RS -->
|
|
<literallayout remap='.nf'>
|
|
1) the user su is targeting
|
|
</literallayout>
|
|
<!-- .fi -->
|
|
<para>
|
|
2) the user executing the su command (or any groups he might be
|
|
a member of)
|
|
</para>
|
|
|
|
<para>
|
|
The file is formatted like this, with lines starting with a # being
|
|
treated as comment lines and ignored;
|
|
</para>
|
|
|
|
<literallayout remap='RS'>
|
|
to-id:from-id:ACTION
|
|
</literallayout>
|
|
|
|
<para>
|
|
Where to-id is either the word <emphasis>ALL</emphasis>, a list of
|
|
usernames delimited by "," or the words <emphasis>ALL
|
|
EXCEPT</emphasis> followed by a list of usernames delimited by ",".
|
|
</para>
|
|
|
|
<para>
|
|
from-id is formatted the same as to-id except the extra word
|
|
<emphasis>GROUP</emphasis> is recognized. <emphasis>ALL EXCEPT
|
|
GROUP</emphasis> is perfectly valid too. Following
|
|
<emphasis>GROUP</emphasis> appears one or more group names, delimited
|
|
by ",". It is not sufficient to have primary group id of the relevant
|
|
group, an entry in
|
|
<citerefentry><refentrytitle>/etc/group</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry> is necessary.
|
|
</para>
|
|
|
|
<para>
|
|
Action can be one only of the following currently supported options.
|
|
</para>
|
|
<variablelist remap='TP'>
|
|
<varlistentry>
|
|
<term>
|
|
<emphasis>DENY</emphasis>
|
|
</term>
|
|
<listitem>
|
|
<para>The attempt to su is stopped before a password is
|
|
even asked for.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>
|
|
<emphasis>NOPASS</emphasis>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
The attempt to su is automatically successful; no password is
|
|
asked for.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>
|
|
<emphasis>OWNPASS</emphasis>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
For the su command to be successful, the user must enter his or
|
|
her own password. They are told this.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>
|
|
Note there are three separate fields delimited by a colon. No
|
|
whitespace must surround this colon. Also note that the file is
|
|
examined sequentially line by line, and the first applicable rule is
|
|
used without examining the file further. This makes it possible for a
|
|
system administrator to exercise as fine control as he or she wishes.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id='example'>
|
|
<title>EXAMPLE</title>
|
|
<literallayout remap='.nf'>
|
|
# sample /etc/suauth file
|
|
#
|
|
# A couple of privileged usernames may
|
|
# su to root with their own password.
|
|
#
|
|
root:chris,birddog:OWNPASS
|
|
#
|
|
# Anyone else may not su to root unless in
|
|
# group wheel. This is how BSD does things.
|
|
#
|
|
root:ALL EXCEPT GROUP wheel:DENY
|
|
#
|
|
# Perhaps terry and birddog are accounts
|
|
# owned by the same person.
|
|
# Access can be arranged between them
|
|
# with no password.
|
|
#
|
|
terry:birddog:NOPASS
|
|
birddog:terry:NOPASS
|
|
#
|
|
</literallayout>
|
|
<!-- .fi -->
|
|
</refsect1>
|
|
|
|
<refsect1 id='files'>
|
|
<title>FILES</title>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><filename>/etc/suauth</filename></term>
|
|
<listitem><para></para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1 id='bugs'>
|
|
<title>BUGS</title>
|
|
<para>
|
|
There could be plenty lurking. The file parser is particularly
|
|
unforgiving about syntax errors, expecting no spurious whitespace
|
|
(apart from beginning and end of lines), and a specific token
|
|
delimiting different things.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id='diagnostics'>
|
|
<title>DIAGNOSTICS</title>
|
|
<para>
|
|
An error parsing the file is reported using
|
|
<citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
as level ERR on facility AUTH.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id='see_also'>
|
|
<title>SEE ALSO</title>
|
|
<para>
|
|
<citerefentry>
|
|
<refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
|
|
</citerefentry>.
|
|
</para>
|
|
</refsect1>
|
|
</refentry>
|