shadow/man/suauth.5

113 lines
2.6 KiB
Groff

.TH SUAUTH 5 "Feb 14, 1996"
.UC 5
.SH NAME
suauth \- Detailed su control file
.SH SYNOPSIS
.B /etc/suauth
.SH DESCRIPTION
The file
.I /etc/suauth
is referenced whenever the su command is called. It can change the
behaviour of the su command, based upon
.PP
.RS
.nf
1) the user su is targetting
.fi
2) the user executing the su command (or any groups he might be
a member of)
.RE
.PP
The file is formatted like this, with lines starting with a #
being treated as comment lines and ignored;
.PP
.RS
to-id:from-id:ACTION
.RE
.PP
Where to-id is either the word
.BR ALL ,
a list of usernames
delimited by "," or the words
.B ALL EXCEPT
followed by a list
of usernames delimted by ","
.PP
from-id is formatted the same as to-id except the extra word
.B GROUP
is recognised.
.B ALL EXCEPT GROUP
is perfectly valid too.
Following
.B GROUP
appears one or more group names, delimited by
",". It is not sufficient to have primary group id of the
relevant group, an entry in
.BR /etc/group (5)
is neccessary.
.PP
Action can be one only of the following currently supported
options.
.TP 20
.B DENY
The attempt to su is stopped before a password is even asked for.
.TP 20
.B NOPASS
The attempt to su is automatically successful; no password is
asked for.
.TP 20
.B OWNPASS
For the su command to be successful, the user must enter
his or her own password. They are told this.
.PP
Note there are three separate fields delimted by a colon. No
whitespace must surround this colon. Also note that the file
is examined sequentially line by line, and the first applicable
rule is used without examining the file further. This makes it
possible for a system administrator to exercise as fine control
as he or she wishes.
.SH EXAMPLE
.PP
.nf
# sample /etc/suauth file
#
# A couple of privileged usernames may
# su to root with their own password.
#
root:chris,birddog:OWNPASS
#
# Anyone else may not su to root unless in
# group wheel. This is how BSD does things.
#
root:ALL EXCEPT GROUP wheel:DENY
#
# Perhaps terry and birddog are accounts
# owned by the same person.
# Access can be arranged between them
# with no password.
#
terry:birddog:NOPASS
birddog:terry:NOPASS
#
.fi
.SH FILES
/etc/suauth
.SH BUGS
There could be plenty lurking. The file parser is particularly
unforgiving about syntax errors, expecting no spurious whitespace
(apart from beginning and end of lines), and a specific token
delimiting different things.
.SH DIAGNOSTICS
An error parsing the file is reported using
.BR syslogd (8)
as level ERR on
facility AUTH.
.SH SEE ALSO
.BR su (1)
.SH AUTHOR
.nf
Chris Evans (lady0110@sable.ox.ac.uk)
Lady Margaret Hall
Oxford University
England