SU1

NAME

SYNOPSIS

DESCRIPTION

The commands allowable for a user can either be any command at all, a completely specified command with no possible variation, or else a prefix to a command where the user is allowed to add extra arguments to the end of the command.

It is up to the administrator to make sure that the commands allowed are secure (if that is required). For example, allowing users to run a shell or a program which can fork a shell lets the users do anything they want to the system.  

PRIVILEGE FILE

The privilege file contains a list of directives, one per line, which are examined in sequence. These directives change the state of some internal variables (such as a log file path and a password). When a directive is seen which allows the user to execute his command, the state of the variables at that time are used. Since the state can change many times as the file is read, different states can apply for different commands.

Comment lines begin with hash marks, and are ignored. Continuation lines are indicated by a backslash at the end of a line. These join the line to the next one with a single space added at the location of the join. Multiple continuation lines are allowed.

The following is the list of directives, with their arguments. Words enclosed in angle brackets represent required values which can be varied. Words enclosed in square brackets represent optional values, and trailing dots indicate that multiple values can be specified.

define <list-name> [word] ...

This defines a list of words which are represented by the given list name. Lists are used for two different purposes. The first use is to define a list of user names which are to be treated in an identical manner. In this case, it is recommended that the list name be in upper case so as to not to confuse it with a real user name. The second use is to define the replacement arguments for a command alias.

paths <absolute-path> ...

This specifies the paths which are to be searched in order when a command is executed. The path names must all begin with a slash. The initial paths are set to "/bin", "/usr/bin", and "/etc".

logfile <log-file-name>

This specifies the path name of the log file where commands which are executed are logged. The logged information gives the user name, the date and time, and the command with arguments. The initial log file is "/etc/su1.log". If you do not wish logging, then set the log file to "/dev/null'.

password [password]

This specifies the password that might be required before a command is executed. If a password is given here, then that is the password required (after encryption). If no password is given, then the usual root password is required. When entering a password here, you can easily generate it by setting the password for a dummy account, then copying the encrypted password from the "/etc/passwd" file. The initial password is the root password.

ask <keyword>

This specifies whether or not a password is required for a command. The keyword is one of "always" or "never". Using "always" means that a password is required for every command executed. Using "never" means that no password is required for the command.

allow <user> <type> [command] ...

This specifies that a particular command can be executed by a particular user, or a list of users. The <user> argument is either a single user name, or else the name of a list of users that had been specified by a previous "define" directive. List names are looked for first, and if not found, then a user name is assumed. The special name of "*" means ALL users.

The <type> argument can be one of "any", "exact", or "prefix". This specifies the amount by which the specified command can be modified. "Any" means that the user can execute any command (and so no command is specified in the directive). The user's command is executed using the normal search list defined by the user's PATH environment variable. "Exact" means that the user's command must match the specified command exactly. "Prefix" means that the user can execute any command which begins with the specified command by adding further arguments to the command.

In the "exact" and "prefix" cases, the command is usually executed using the search list specified in the most recent "paths" directive. However, the command can be an absolute path name, in which case it is run only from the specified path. If the command name matches a list name from a previous "define" directive, then the command name is an alias and is replaced by all of the words in the defined list. Extra arguments given on the "allow" directive or supplied by the user are added to the end of the replaced command.

refuse <user> <type> [command] ...

The arguments to this are the same as to the "allow" directive. But the difference here is that if the user and command matches, then the command is refused instead of executed. Refusal also stops the search through the privilege file for further commands. The purpose of this directive is to deny commands to a list of users.

The following is an example of a (not very useful) "/etc/su1.priv" file:

    define  GODS    dbell nina
    define  rmcore  rm -f core

    paths   /bin /usr/bin /etc

    ask     never
    logfile /dev/null

    allow   root   any

    ask     always
    logfile /etc/su1.log
    password WBg20dVsRLaqk

    allow   GODS    exact   rmcore
    refuse  fred    exact   ls -l
    allow   *       prefix  ls

    password QWkree5fjIYam
    logfile /etc/su1.fsck-log

    allow   sam     prefix  fsck

This file allows root to execute any command without passwords and without logging. It allows users dbell and nina to remove a core file anywhere when a password is given, and it is logged. It allows all users to execute ls when a password is given, and is logged (except that fred cannot execute ls -l). It allows sam to execute fsck with logging to a separate file, and with a different password than is required for the other commands.  

AUTHOR

Index

NAME

SYNOPSIS

DESCRIPTION

PRIVILEGE FILE

AUTHOR