1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
|
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 1996 , Marek Michałkiewicz
Copyright (c) 2001 - 2006, Tomasz Kłoczko
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the copyright holders or contributors may not be used to
endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='suauth.5'>
<!-- $Id$ -->
<refentryinfo>
<author>
<firstname>Marek</firstname>
<surname>Michałkiewicz</surname>
<contrib>Creation, 1996</contrib>
</author>
<author>
<firstname>Thomas</firstname>
<surname>Kłoczko</surname>
<email>kloczek@pld.org.pl</email>
<contrib>shadow-utils maintainer, 2000 - 2007</contrib>
</author>
<author>
<firstname>Nicolas</firstname>
<surname>François</surname>
<email>nicolas.francois@centraliens.net</email>
<contrib>shadow-utils maintainer, 2007 - now</contrib>
</author>
</refentryinfo>
<refmeta>
<refentrytitle>suauth</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
<refmiscinfo class="source">shadow-utils</refmiscinfo>
<refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>suauth</refname>
<refpurpose>detailed su control file</refpurpose>
</refnamediv>
<!-- body begins here -->
<refsynopsisdiv id='synopsis'>
<cmdsynopsis>
<command>/etc/suauth</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
The file <filename>/etc/suauth</filename> is referenced whenever the
su command is called. It can change the behaviour of the su command,
based upon:
</para>
<!-- .RS -->
<literallayout remap='.nf'>
1) the user su is targeting
</literallayout>
<!-- .fi -->
<para>
2) the user executing the su command (or any groups he might be
a member of)
</para>
<para>
The file is formatted like this, with lines starting with a # being
treated as comment lines and ignored;
</para>
<literallayout remap='RS'>
to-id:from-id:ACTION
</literallayout>
<para>
Where to-id is either the word <emphasis>ALL</emphasis>, a list of
usernames delimited by "," or the words <emphasis>ALL
EXCEPT</emphasis> followed by a list of usernames delimited by ",".
</para>
<para>
from-id is formatted the same as to-id except the extra word
<emphasis>GROUP</emphasis> is recognized. <emphasis>ALL EXCEPT
GROUP</emphasis> is perfectly valid too. Following
<emphasis>GROUP</emphasis> appears one or more group names, delimited
by ",". It is not sufficient to have primary group id of the relevant
group, an entry in
<citerefentry><refentrytitle>/etc/group</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> is necessary.
</para>
<para>
Action can be one only of the following currently supported options.
</para>
<variablelist remap='TP'>
<varlistentry>
<term>
<emphasis>DENY</emphasis>
</term>
<listitem>
<para>The attempt to su is stopped before a password is
even asked for.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis>NOPASS</emphasis>
</term>
<listitem>
<para>
The attempt to su is automatically successful; no password is
asked for.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis>OWNPASS</emphasis>
</term>
<listitem>
<para>
For the su command to be successful, the user must enter his or
her own password. They are told this.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
Note there are three separate fields delimited by a colon. No
whitespace must surround this colon. Also note that the file is
examined sequentially line by line, and the first applicable rule is
used without examining the file further. This makes it possible for a
system administrator to exercise as fine control as he or she wishes.
</para>
</refsect1>
<refsect1 id='example'>
<title>EXAMPLE</title>
<literallayout remap='.nf'>
# sample /etc/suauth file
#
# A couple of privileged usernames may
# su to root with their own password.
#
root:chris,birddog:OWNPASS
#
# Anyone else may not su to root unless in
# group wheel. This is how BSD does things.
#
root:ALL EXCEPT GROUP wheel:DENY
#
# Perhaps terry and birddog are accounts
# owned by the same person.
# Access can be arranged between them
# with no password.
#
terry:birddog:NOPASS
birddog:terry:NOPASS
#
</literallayout>
<!-- .fi -->
</refsect1>
<refsect1 id='files'>
<title>FILES</title>
<variablelist>
<varlistentry>
<term><filename>/etc/suauth</filename></term>
<listitem><para></para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='bugs'>
<title>BUGS</title>
<para>
There could be plenty lurking. The file parser is particularly
unforgiving about syntax errors, expecting no spurious whitespace
(apart from beginning and end of lines), and a specific token
delimiting different things.
</para>
</refsect1>
<refsect1 id='diagnostics'>
<title>DIAGNOSTICS</title>
<para>
An error parsing the file is reported using
<citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
as level ERR on facility AUTH.
</para>
</refsect1>
<refsect1 id='see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>.
</para>
</refsect1>
</refentry>
|