diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-14 19:33:30 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-14 19:33:30 +0000 |
| commit | c61e14d3a8412cd50d98aab604e607692c844c8a (patch) | |
| tree | 4925aca0e6b64c8664ea2f3fdfa99a52dc93d5da /login-utils/runuser.1.adoc | |
| parent | Adding upstream version 2.39.3. (diff) | |
| download | util-linux-c61e14d3a8412cd50d98aab604e607692c844c8a.tar.xz util-linux-c61e14d3a8412cd50d98aab604e607692c844c8a.zip | |
Adding upstream version 2.40.upstream/2.40
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'login-utils/runuser.1.adoc')
| -rw-r--r-- | login-utils/runuser.1.adoc | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/login-utils/runuser.1.adoc b/login-utils/runuser.1.adoc index 3872d8d..aea95f7 100644 --- a/login-utils/runuser.1.adoc +++ b/login-utils/runuser.1.adoc @@ -52,14 +52,14 @@ Start the shell as a login shell with an environment similar to a real login: * changes to the target user's home directory * sets argv[0] of the shell to '*-*' in order to make the shell a login shell +*-m*, *-p*, *--preserve-environment*:: +Preserve the entire environment, i.e., do not set *HOME*, *SHELL*, *USER* or *LOGNAME*. The option is ignored if the option *--login* is specified. + *-P*, *--pty*:: Create a pseudo-terminal for the session. The independent terminal provides better security as the user does not share a terminal with the original session. This can be used to avoid TIOCSTI ioctl terminal injection and other security attacks against terminal file descriptors. The entire session can also be moved to the background (e.g., *runuser --pty* *-u* _username_ *--* _command_ *&*). If the pseudo-terminal is enabled, then *runuser* works as a proxy between the sessions (sync stdin and stdout). + This feature is mostly designed for interactive sessions. If the standard input is not a terminal, but for example a pipe (e.g., *echo "date" | runuser --pty -u* _user_), then the *ECHO* flag for the pseudo-terminal is disabled to avoid messy output. -*-m*, *-p*, *--preserve-environment*:: -Preserve the entire environment, i.e., do not set *HOME*, *SHELL*, *USER* or *LOGNAME*. The option is ignored if the option *--login* is specified. - *-s*, *--shell*=_shell_:: Run the specified _shell_ instead of the default. The shell to run is selected according to the following rules, in order: @@ -73,6 +73,10 @@ If the target user has a restricted shell (i.e., not listed in _/etc/shells_), t **--session-command=**__command__:: Same as *-c*, but do not create a new session. (Discouraged.) +*-T*, *--no-pty**:: +Do not create a pseudo-terminal, opposite of *--pty* and *-P*. +Note that running without a pseudo-terminal opens the security risk of privilege escalation through TIOCSTI/TIOCLINUX ioctl command injection. + *-w*, *--whitelist-environment*=_list_:: Don't reset the environment variables specified in the comma-separated _list_ when clearing the environment for *--login*. The whitelist is ignored for the environment variables *HOME*, *SHELL*, *USER*, *LOGNAME*, and *PATH*. |