HardenedBSD/eBones/man/ksu.1
csgr 105186eeee Initial import of eBones.
(Including all changes for FreeBSD - importing the original eBones distribution
would be too complex at this stage, since I don't have access to Piero's 
CVS.)
(If you want to include eBones in your system, don't forget to include
MAKE_EBONES in /etc/make.conf.)
(This stuff is now also suppable from braae.ru.ac.za.)

Bones originally from MIT SIPB.
Original port to FreeBSD 1.x  by Piero Serini.
Moved to FreeBSD 2.0 by Doug Rabson and Geoff Rehmet.
Nice bug fixes from Doug Rabson.
1994-09-30 14:50:09 +00:00

84 lines
3.6 KiB
Groff

.\" from: ksu.1,v 4.1 89/01/23 11:38:16 jtkohl Exp $
.\" $Id: ksu.1,v 1.2 1994/07/19 19:27:57 g89r4222 Exp $
.\"
.\" Copyright (c) 1988 The Regents of the University of California.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms are permitted
.\" provided that the above copyright notice and this paragraph are
.\" duplicated in all such forms and that any documentation,
.\" advertising materials, and other materials related to such
.\" distribution and use acknowledge that the software was developed
.\" by the University of California, Berkeley. The name of the
.\" University may not be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
.\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.\" @(#)su.1 6.7 (Berkeley) 12/7/88
.\"
.TH KSU 1 "Kerberos Version 4.0" "MIT Project Athena"
.UC
.SH NAME
ksu \- substitute user id, using Kerberos
.SH SYNOPSIS
.B ksu
[-flm] [login]
.SH DESCRIPTION
\fIKsu\fP requests the password for \fIlogin\fP (or for ``root'', if no
login is provided), and switches to that user and group ID. A shell is
then invoked.
.PP
By default, your environment is unmodified with the exception of
\fIUSER\fP, \fIHOME\fP, and \fISHELL\fP. \fIHOME\fP and \fISHELL\fP
are set to the target login's \fI/etc/passwd\fP values. \fIUSER\fP
is set to the target login, unless the target login has a UID of 0,
in which case it is unmodified. The invoked shell is the target
login's. This is the traditional behavior of \fIksu\fP.
.PP
The \fI-l\fP option simulates a full login. The environment is discarded
except for \fIHOME\fP, \fISHELL\fP, \fIPATH\fP, \fITERM\fP, and \fIUSER\fP.
\fIHOME\fP and \fISHELL\fP are modified as above. \fIUSER\fP is set to
the target login. \fIPATH\fP is set to ``/usr/ucb:/bin:/usr/bin''.
\fITERM\fP is imported from your current environment. The invoked shell
is the target login's, and \fIksu\fP will change directory to the target
login's home directory.
.PP
The \fI-m\fP option causes the environment to remain unmodified, and
the invoked shell to be your login shell. No directory changes are
made. As a security precaution, if the
.I -m
option is specified, the target user's shell is a non-standard shell
(as defined by \fIgetusershell\fP(3)) and the caller's real uid is
non-zero,
.I su
will fail.
.PP
If the invoked shell is \fIcsh\fP, the \fI-f\fP option prevents it from
reading the \fI.cshrc\fP file. Otherwise, this option is ignored.
.PP
Only users with root instances listed in /\&.klogin may \fIksu\fP to
``root'' (The format of this file is described by \fIrlogin\fP(1).). When
attempting root access, \fIksu\fP attempts to fetch a
ticket-granting-ticket for ``username.root@localrealm'', where
\fIusername\fP is the username of the process. If possible, the tickets
are used to obtain, use, and verify tickets for the service
``rcmd.host@localrealm'' where \fIhost\fP is the canonical host name (as
determined by
.IR krb_get_phost (3))
of the machine. If this verification
fails, the \fIksu\fP is disallowed (If the service
``rcmd.host@localrealm'' is not registered, the \fIksu\fP is allowed.).
.PP
By default (unless the prompt is reset by a startup file) the super-user
prompt is set to ``#'' to remind one of its awesome power.
.PP
When not attempting to switch to the ``root'' user,
.I ksu
behaves exactly like
.IR su (1).
.SH "SEE ALSO"
su(1), csh(1), login(1), rlogin(1), sh(1), krb_get_phost(3), passwd(5),
group(5), environ(7)