mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-29 20:54:13 +01:00
84 lines
3.6 KiB
Groff
84 lines
3.6 KiB
Groff
|
.\" from: ksu.1,v 4.1 89/01/23 11:38:16 jtkohl Exp $
|
||
|
.\" $Id: ksu.1,v 1.2 1994/07/19 19:27:57 g89r4222 Exp $
|
||
|
.\"
|
||
|
.\" Copyright (c) 1988 The Regents of the University of California.
|
||
|
.\" All rights reserved.
|
||
|
.\"
|
||
|
.\" Redistribution and use in source and binary forms are permitted
|
||
|
.\" provided that the above copyright notice and this paragraph are
|
||
|
.\" duplicated in all such forms and that any documentation,
|
||
|
.\" advertising materials, and other materials related to such
|
||
|
.\" distribution and use acknowledge that the software was developed
|
||
|
.\" by the University of California, Berkeley. The name of the
|
||
|
.\" University may not be used to endorse or promote products derived
|
||
|
.\" from this software without specific prior written permission.
|
||
|
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
|
||
|
.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
|
||
|
.\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
.\"
|
||
|
.\" @(#)su.1 6.7 (Berkeley) 12/7/88
|
||
|
.\"
|
||
|
.TH KSU 1 "Kerberos Version 4.0" "MIT Project Athena"
|
||
|
.UC
|
||
|
.SH NAME
|
||
|
ksu \- substitute user id, using Kerberos
|
||
|
.SH SYNOPSIS
|
||
|
.B ksu
|
||
|
[-flm] [login]
|
||
|
.SH DESCRIPTION
|
||
|
\fIKsu\fP requests the password for \fIlogin\fP (or for ``root'', if no
|
||
|
login is provided), and switches to that user and group ID. A shell is
|
||
|
then invoked.
|
||
|
.PP
|
||
|
By default, your environment is unmodified with the exception of
|
||
|
\fIUSER\fP, \fIHOME\fP, and \fISHELL\fP. \fIHOME\fP and \fISHELL\fP
|
||
|
are set to the target login's \fI/etc/passwd\fP values. \fIUSER\fP
|
||
|
is set to the target login, unless the target login has a UID of 0,
|
||
|
in which case it is unmodified. The invoked shell is the target
|
||
|
login's. This is the traditional behavior of \fIksu\fP.
|
||
|
.PP
|
||
|
The \fI-l\fP option simulates a full login. The environment is discarded
|
||
|
except for \fIHOME\fP, \fISHELL\fP, \fIPATH\fP, \fITERM\fP, and \fIUSER\fP.
|
||
|
\fIHOME\fP and \fISHELL\fP are modified as above. \fIUSER\fP is set to
|
||
|
the target login. \fIPATH\fP is set to ``/usr/ucb:/bin:/usr/bin''.
|
||
|
\fITERM\fP is imported from your current environment. The invoked shell
|
||
|
is the target login's, and \fIksu\fP will change directory to the target
|
||
|
login's home directory.
|
||
|
.PP
|
||
|
The \fI-m\fP option causes the environment to remain unmodified, and
|
||
|
the invoked shell to be your login shell. No directory changes are
|
||
|
made. As a security precaution, if the
|
||
|
.I -m
|
||
|
option is specified, the target user's shell is a non-standard shell
|
||
|
(as defined by \fIgetusershell\fP(3)) and the caller's real uid is
|
||
|
non-zero,
|
||
|
.I su
|
||
|
will fail.
|
||
|
.PP
|
||
|
If the invoked shell is \fIcsh\fP, the \fI-f\fP option prevents it from
|
||
|
reading the \fI.cshrc\fP file. Otherwise, this option is ignored.
|
||
|
.PP
|
||
|
Only users with root instances listed in /\&.klogin may \fIksu\fP to
|
||
|
``root'' (The format of this file is described by \fIrlogin\fP(1).). When
|
||
|
attempting root access, \fIksu\fP attempts to fetch a
|
||
|
ticket-granting-ticket for ``username.root@localrealm'', where
|
||
|
\fIusername\fP is the username of the process. If possible, the tickets
|
||
|
are used to obtain, use, and verify tickets for the service
|
||
|
``rcmd.host@localrealm'' where \fIhost\fP is the canonical host name (as
|
||
|
determined by
|
||
|
.IR krb_get_phost (3))
|
||
|
of the machine. If this verification
|
||
|
fails, the \fIksu\fP is disallowed (If the service
|
||
|
``rcmd.host@localrealm'' is not registered, the \fIksu\fP is allowed.).
|
||
|
.PP
|
||
|
By default (unless the prompt is reset by a startup file) the super-user
|
||
|
prompt is set to ``#'' to remind one of its awesome power.
|
||
|
.PP
|
||
|
When not attempting to switch to the ``root'' user,
|
||
|
.I ksu
|
||
|
behaves exactly like
|
||
|
.IR su (1).
|
||
|
.SH "SEE ALSO"
|
||
|
su(1), csh(1), login(1), rlogin(1), sh(1), krb_get_phost(3), passwd(5),
|
||
|
group(5), environ(7)
|