summaryrefslogtreecommitdiffstats
path: root/man/man5/suauth.5
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--man/man5/suauth.5146
1 files changed, 146 insertions, 0 deletions
diff --git a/man/man5/suauth.5 b/man/man5/suauth.5
new file mode 100644
index 0000000..7c7729c
--- /dev/null
+++ b/man/man5/suauth.5
@@ -0,0 +1,146 @@
+'\" t
+.\" Title: suauth
+.\" Author: Marek MichaƂkiewicz
+.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\" Date: 11/08/2022
+.\" Manual: File Formats and Configuration Files
+.\" Source: shadow-utils 4.13
+.\" Language: English
+.\"
+.TH "SUAUTH" "5" "11/08/2022" "shadow\-utils 4\&.13" "File Formats and Configuration"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+suauth \- detailed su control file
+.SH "SYNOPSIS"
+.HP \w'\fB/etc/suauth\fR\ 'u
+\fB/etc/suauth\fR
+.SH "DESCRIPTION"
+.PP
+The file
+/etc/suauth
+is referenced whenever the su command is called\&. It can change the behaviour of the su command, based upon:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+ 1) the user su is targeting
+
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+2) the user executing the su command (or any groups he might be a member of)
+.PP
+The file is formatted like this, with lines starting with a # being treated as comment lines and ignored;
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+ to\-id:from\-id:ACTION
+
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Where to\-id is either the word
+\fIALL\fR, a list of usernames delimited by "," or the words
+\fIALL EXCEPT\fR
+followed by a list of usernames delimited by ","\&.
+.PP
+from\-id is formatted the same as to\-id except the extra word
+\fIGROUP\fR
+is recognized\&.
+\fIALL EXCEPT GROUP\fR
+is perfectly valid too\&. Following
+\fIGROUP\fR
+appears one or more group names, delimited by ","\&. It is not sufficient to have primary group id of the relevant group, an entry in
+\fB/etc/group\fR(5)
+is necessary\&.
+.PP
+Action can be one only of the following currently supported options\&.
+.PP
+\fIDENY\fR
+.RS 4
+The attempt to su is stopped before a password is even asked for\&.
+.RE
+.PP
+\fINOPASS\fR
+.RS 4
+The attempt to su is automatically successful; no password is asked for\&.
+.RE
+.PP
+\fIOWNPASS\fR
+.RS 4
+For the su command to be successful, the user must enter his or her own password\&. They are told this\&.
+.RE
+.PP
+Note there are three separate fields delimited by a colon\&. No whitespace must surround this colon\&. Also note that the file is examined sequentially line by line, and the first applicable rule is used without examining the file further\&. This makes it possible for a system administrator to exercise as fine control as he or she wishes\&.
+.SH "EXAMPLE"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+ # sample /etc/suauth file
+ #
+ # A couple of privileged usernames may
+ # su to root with their own password\&.
+ #
+ root:chris,birddog:OWNPASS
+ #
+ # Anyone else may not su to root unless in
+ # group wheel\&. This is how BSD does things\&.
+ #
+ root:ALL EXCEPT GROUP wheel:DENY
+ #
+ # Perhaps terry and birddog are accounts
+ # owned by the same person\&.
+ # Access can be arranged between them
+ # with no password\&.
+ #
+ terry:birddog:NOPASS
+ birddog:terry:NOPASS
+ #
+
+.fi
+.if n \{\
+.RE
+.\}
+.SH "FILES"
+.PP
+/etc/suauth
+.RS 4
+.RE
+.SH "BUGS"
+.PP
+There could be plenty lurking\&. The file parser is particularly unforgiving about syntax errors, expecting no spurious whitespace (apart from beginning and end of lines), and a specific token delimiting different things\&.
+.SH "DIAGNOSTICS"
+.PP
+An error parsing the file is reported using
+\fBsyslogd\fR(8)
+as level ERR on facility AUTH\&.
+.SH "SEE ALSO"
+.PP
+\fBsu\fR(1)\&.