mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-18 17:00:49 +01:00
60643d379b
(Including all changes for FreeBSD - importing the original eBones distribution would be too complex at this stage, since I don't have access to Piero's CVS.) (If you want to include eBones in your system, don't forget to include MAKE_EBONES in /etc/make.conf.) (This stuff is now also suppable from braae.ru.ac.za.) Bones originally from MIT SIPB. Original port to FreeBSD 1.x by Piero Serini. Moved to FreeBSD 2.0 by Doug Rabson and Geoff Rehmet. Nice bug fixes from Doug Rabson.
84 lines
3.6 KiB
Groff
84 lines
3.6 KiB
Groff
.\" from: ksu.1,v 4.1 89/01/23 11:38:16 jtkohl Exp $
|
|
.\" $Id: ksu.1,v 1.2 1994/07/19 19:27:57 g89r4222 Exp $
|
|
.\"
|
|
.\" Copyright (c) 1988 The Regents of the University of California.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms are permitted
|
|
.\" provided that the above copyright notice and this paragraph are
|
|
.\" duplicated in all such forms and that any documentation,
|
|
.\" advertising materials, and other materials related to such
|
|
.\" distribution and use acknowledge that the software was developed
|
|
.\" by the University of California, Berkeley. The name of the
|
|
.\" University may not be used to endorse or promote products derived
|
|
.\" from this software without specific prior written permission.
|
|
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
|
|
.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
|
|
.\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
|
.\"
|
|
.\" @(#)su.1 6.7 (Berkeley) 12/7/88
|
|
.\"
|
|
.TH KSU 1 "Kerberos Version 4.0" "MIT Project Athena"
|
|
.UC
|
|
.SH NAME
|
|
ksu \- substitute user id, using Kerberos
|
|
.SH SYNOPSIS
|
|
.B ksu
|
|
[-flm] [login]
|
|
.SH DESCRIPTION
|
|
\fIKsu\fP requests the password for \fIlogin\fP (or for ``root'', if no
|
|
login is provided), and switches to that user and group ID. A shell is
|
|
then invoked.
|
|
.PP
|
|
By default, your environment is unmodified with the exception of
|
|
\fIUSER\fP, \fIHOME\fP, and \fISHELL\fP. \fIHOME\fP and \fISHELL\fP
|
|
are set to the target login's \fI/etc/passwd\fP values. \fIUSER\fP
|
|
is set to the target login, unless the target login has a UID of 0,
|
|
in which case it is unmodified. The invoked shell is the target
|
|
login's. This is the traditional behavior of \fIksu\fP.
|
|
.PP
|
|
The \fI-l\fP option simulates a full login. The environment is discarded
|
|
except for \fIHOME\fP, \fISHELL\fP, \fIPATH\fP, \fITERM\fP, and \fIUSER\fP.
|
|
\fIHOME\fP and \fISHELL\fP are modified as above. \fIUSER\fP is set to
|
|
the target login. \fIPATH\fP is set to ``/usr/ucb:/bin:/usr/bin''.
|
|
\fITERM\fP is imported from your current environment. The invoked shell
|
|
is the target login's, and \fIksu\fP will change directory to the target
|
|
login's home directory.
|
|
.PP
|
|
The \fI-m\fP option causes the environment to remain unmodified, and
|
|
the invoked shell to be your login shell. No directory changes are
|
|
made. As a security precaution, if the
|
|
.I -m
|
|
option is specified, the target user's shell is a non-standard shell
|
|
(as defined by \fIgetusershell\fP(3)) and the caller's real uid is
|
|
non-zero,
|
|
.I su
|
|
will fail.
|
|
.PP
|
|
If the invoked shell is \fIcsh\fP, the \fI-f\fP option prevents it from
|
|
reading the \fI.cshrc\fP file. Otherwise, this option is ignored.
|
|
.PP
|
|
Only users with root instances listed in /\&.klogin may \fIksu\fP to
|
|
``root'' (The format of this file is described by \fIrlogin\fP(1).). When
|
|
attempting root access, \fIksu\fP attempts to fetch a
|
|
ticket-granting-ticket for ``username.root@localrealm'', where
|
|
\fIusername\fP is the username of the process. If possible, the tickets
|
|
are used to obtain, use, and verify tickets for the service
|
|
``rcmd.host@localrealm'' where \fIhost\fP is the canonical host name (as
|
|
determined by
|
|
.IR krb_get_phost (3))
|
|
of the machine. If this verification
|
|
fails, the \fIksu\fP is disallowed (If the service
|
|
``rcmd.host@localrealm'' is not registered, the \fIksu\fP is allowed.).
|
|
.PP
|
|
By default (unless the prompt is reset by a startup file) the super-user
|
|
prompt is set to ``#'' to remind one of its awesome power.
|
|
.PP
|
|
When not attempting to switch to the ``root'' user,
|
|
.I ksu
|
|
behaves exactly like
|
|
.IR su (1).
|
|
.SH "SEE ALSO"
|
|
su(1), csh(1), login(1), rlogin(1), sh(1), krb_get_phost(3), passwd(5),
|
|
group(5), environ(7)
|