diff options
Diffstat (limited to 'man/suauth.5.xml')
-rw-r--r-- | man/suauth.5.xml | 229 |
1 files changed, 229 insertions, 0 deletions
diff --git a/man/suauth.5.xml b/man/suauth.5.xml new file mode 100644 index 0000000..97ef6d1 --- /dev/null +++ b/man/suauth.5.xml @@ -0,0 +1,229 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Copyright (c) 1996 , Marek Michałkiewicz + Copyright (c) 2001 - 2006, Tomasz Kłoczko + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. The name of the copyright holders or contributors may not be used to + endorse or promote products derived from this software without + specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +--> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN" + "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ +<!-- SHADOW-CONFIG-HERE --> +]> +<refentry id='suauth.5'> + <!-- $Id$ --> + <refentryinfo> + <author> + <firstname>Marek</firstname> + <surname>Michałkiewicz</surname> + <contrib>Creation, 1996</contrib> + </author> + <author> + <firstname>Thomas</firstname> + <surname>Kłoczko</surname> + <email>kloczek@pld.org.pl</email> + <contrib>shadow-utils maintainer, 2000 - 2007</contrib> + </author> + <author> + <firstname>Nicolas</firstname> + <surname>François</surname> + <email>nicolas.francois@centraliens.net</email> + <contrib>shadow-utils maintainer, 2007 - now</contrib> + </author> + </refentryinfo> + <refmeta> + <refentrytitle>suauth</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo> + <refmiscinfo class="source">shadow-utils</refmiscinfo> + <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo> + </refmeta> + <refnamediv id='name'> + <refname>suauth</refname> + <refpurpose>detailed su control file</refpurpose> + </refnamediv> + <!-- body begins here --> + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> + <command>/etc/suauth</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + The file <filename>/etc/suauth</filename> is referenced whenever the + su command is called. It can change the behaviour of the su command, + based upon: + </para> + + <!-- .RS --> + <literallayout remap='.nf'> + 1) the user su is targeting + </literallayout> + <!-- .fi --> + <para> + 2) the user executing the su command (or any groups he might be + a member of) + </para> + + <para> + The file is formatted like this, with lines starting with a # being + treated as comment lines and ignored; + </para> + + <literallayout remap='RS'> + to-id:from-id:ACTION + </literallayout> + + <para> + Where to-id is either the word <emphasis>ALL</emphasis>, a list of + usernames delimited by "," or the words <emphasis>ALL + EXCEPT</emphasis> followed by a list of usernames delimited by ",". + </para> + + <para> + from-id is formatted the same as to-id except the extra word + <emphasis>GROUP</emphasis> is recognized. <emphasis>ALL EXCEPT + GROUP</emphasis> is perfectly valid too. Following + <emphasis>GROUP</emphasis> appears one or more group names, delimited + by ",". It is not sufficient to have primary group id of the relevant + group, an entry in + <citerefentry><refentrytitle>/etc/group</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> is necessary. + </para> + + <para> + Action can be one only of the following currently supported options. + </para> + <variablelist remap='TP'> + <varlistentry> + <term> + <emphasis>DENY</emphasis> + </term> + <listitem> + <para>The attempt to su is stopped before a password is + even asked for. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <emphasis>NOPASS</emphasis> + </term> + <listitem> + <para> + The attempt to su is automatically successful; no password is + asked for. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <emphasis>OWNPASS</emphasis> + </term> + <listitem> + <para> + For the su command to be successful, the user must enter his or + her own password. They are told this. + </para> + </listitem> + </varlistentry> + </variablelist> + + <para> + Note there are three separate fields delimited by a colon. No + whitespace must surround this colon. Also note that the file is + examined sequentially line by line, and the first applicable rule is + used without examining the file further. This makes it possible for a + system administrator to exercise as fine control as he or she wishes. + </para> + </refsect1> + + <refsect1 id='example'> + <title>EXAMPLE</title> + <literallayout remap='.nf'> + # sample /etc/suauth file + # + # A couple of privileged usernames may + # su to root with their own password. + # + root:chris,birddog:OWNPASS + # + # Anyone else may not su to root unless in + # group wheel. This is how BSD does things. + # + root:ALL EXCEPT GROUP wheel:DENY + # + # Perhaps terry and birddog are accounts + # owned by the same person. + # Access can be arranged between them + # with no password. + # + terry:birddog:NOPASS + birddog:terry:NOPASS + # + </literallayout> + <!-- .fi --> + </refsect1> + + <refsect1 id='files'> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/suauth</filename></term> + <listitem><para></para></listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='bugs'> + <title>BUGS</title> + <para> + There could be plenty lurking. The file parser is particularly + unforgiving about syntax errors, expecting no spurious whitespace + (apart from beginning and end of lines), and a specific token + delimiting different things. + </para> + </refsect1> + + <refsect1 id='diagnostics'> + <title>DIAGNOSTICS</title> + <para> + An error parsing the file is reported using + <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry> + as level ERR on facility AUTH. + </para> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum> + </citerefentry>. + </para> + </refsect1> +</refentry> |