113 lines
2.6 KiB
Groff
113 lines
2.6 KiB
Groff
.TH SUAUTH 5 "Feb 14, 1996"
|
|
.UC 5
|
|
.SH NAME
|
|
suauth \- Detailed su control file
|
|
.SH SYNOPSIS
|
|
.B /etc/suauth
|
|
.SH DESCRIPTION
|
|
The file
|
|
.I /etc/suauth
|
|
is referenced whenever the su command is called. It can change the
|
|
behaviour of the su command, based upon
|
|
.PP
|
|
.RS
|
|
.nf
|
|
1) the user su is targetting
|
|
.fi
|
|
2) the user executing the su command (or any groups he might be
|
|
a member of)
|
|
.RE
|
|
.PP
|
|
The file is formatted like this, with lines starting with a #
|
|
being treated as comment lines and ignored;
|
|
.PP
|
|
.RS
|
|
to-id:from-id:ACTION
|
|
.RE
|
|
.PP
|
|
Where to-id is either the word
|
|
.BR ALL ,
|
|
a list of usernames
|
|
delimited by "," or the words
|
|
.B ALL EXCEPT
|
|
followed by a list
|
|
of usernames delimted by ","
|
|
.PP
|
|
from-id is formatted the same as to-id except the extra word
|
|
.B GROUP
|
|
is recognised.
|
|
.B ALL EXCEPT GROUP
|
|
is perfectly valid too.
|
|
Following
|
|
.B GROUP
|
|
appears one or more group names, delimited by
|
|
",". It is not sufficient to have primary group id of the
|
|
relevant group, an entry in
|
|
.BR /etc/group (5)
|
|
is neccessary.
|
|
.PP
|
|
Action can be one only of the following currently supported
|
|
options.
|
|
.TP 20
|
|
.B DENY
|
|
The attempt to su is stopped before a password is even asked for.
|
|
.TP 20
|
|
.B NOPASS
|
|
The attempt to su is automatically successful; no password is
|
|
asked for.
|
|
.TP 20
|
|
.B OWNPASS
|
|
For the su command to be successful, the user must enter
|
|
his or her own password. They are told this.
|
|
.PP
|
|
Note there are three separate fields delimted by a colon. No
|
|
whitespace must surround this colon. Also note that the file
|
|
is examined sequentially line by line, and the first applicable
|
|
rule is used without examining the file further. This makes it
|
|
possible for a system administrator to exercise as fine control
|
|
as he or she wishes.
|
|
.SH EXAMPLE
|
|
.PP
|
|
.nf
|
|
# sample /etc/suauth file
|
|
#
|
|
# A couple of privileged usernames may
|
|
# su to root with their own password.
|
|
#
|
|
root:chris,birddog:OWNPASS
|
|
#
|
|
# Anyone else may not su to root unless in
|
|
# group wheel. This is how BSD does things.
|
|
#
|
|
root:ALL EXCEPT GROUP wheel:DENY
|
|
#
|
|
# Perhaps terry and birddog are accounts
|
|
# owned by the same person.
|
|
# Access can be arranged between them
|
|
# with no password.
|
|
#
|
|
terry:birddog:NOPASS
|
|
birddog:terry:NOPASS
|
|
#
|
|
.fi
|
|
.SH FILES
|
|
/etc/suauth
|
|
.SH BUGS
|
|
There could be plenty lurking. The file parser is particularly
|
|
unforgiving about syntax errors, expecting no spurious whitespace
|
|
(apart from beginning and end of lines), and a specific token
|
|
delimiting different things.
|
|
.SH DIAGNOSTICS
|
|
An error parsing the file is reported using
|
|
.BR syslogd (8)
|
|
as level ERR on
|
|
facility AUTH.
|
|
.SH SEE ALSO
|
|
.BR su (1)
|
|
.SH AUTHOR
|
|
.nf
|
|
Chris Evans (lady0110@sable.ox.ac.uk)
|
|
Lady Margaret Hall
|
|
Oxford University
|
|
England
|