|
jpayne@68
|
1 .\" Man page generated from reStructuredText.
|
|
jpayne@68
|
2 .
|
|
jpayne@68
|
3 .TH "KSU" "1" " " "1.20.1" "MIT Kerberos"
|
|
jpayne@68
|
4 .SH NAME
|
|
jpayne@68
|
5 ksu \- Kerberized super-user
|
|
jpayne@68
|
6 .
|
|
jpayne@68
|
7 .nr rst2man-indent-level 0
|
|
jpayne@68
|
8 .
|
|
jpayne@68
|
9 .de1 rstReportMargin
|
|
jpayne@68
|
10 \\$1 \\n[an-margin]
|
|
jpayne@68
|
11 level \\n[rst2man-indent-level]
|
|
jpayne@68
|
12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
jpayne@68
|
13 -
|
|
jpayne@68
|
14 \\n[rst2man-indent0]
|
|
jpayne@68
|
15 \\n[rst2man-indent1]
|
|
jpayne@68
|
16 \\n[rst2man-indent2]
|
|
jpayne@68
|
17 ..
|
|
jpayne@68
|
18 .de1 INDENT
|
|
jpayne@68
|
19 .\" .rstReportMargin pre:
|
|
jpayne@68
|
20 . RS \\$1
|
|
jpayne@68
|
21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
jpayne@68
|
22 . nr rst2man-indent-level +1
|
|
jpayne@68
|
23 .\" .rstReportMargin post:
|
|
jpayne@68
|
24 ..
|
|
jpayne@68
|
25 .de UNINDENT
|
|
jpayne@68
|
26 . RE
|
|
jpayne@68
|
27 .\" indent \\n[an-margin]
|
|
jpayne@68
|
28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
jpayne@68
|
29 .nr rst2man-indent-level -1
|
|
jpayne@68
|
30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
jpayne@68
|
31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
jpayne@68
|
32 ..
|
|
jpayne@68
|
33 .SH SYNOPSIS
|
|
jpayne@68
|
34 .sp
|
|
jpayne@68
|
35 \fBksu\fP
|
|
jpayne@68
|
36 [ \fItarget_user\fP ]
|
|
jpayne@68
|
37 [ \fB\-n\fP \fItarget_principal_name\fP ]
|
|
jpayne@68
|
38 [ \fB\-c\fP \fIsource_cache_name\fP ]
|
|
jpayne@68
|
39 [ \fB\-k\fP ]
|
|
jpayne@68
|
40 [ \fB\-r\fP time ]
|
|
jpayne@68
|
41 [ \fB\-p\fP | \fB\-P\fP]
|
|
jpayne@68
|
42 [ \fB\-f\fP | \fB\-F\fP]
|
|
jpayne@68
|
43 [ \fB\-l\fP \fIlifetime\fP ]
|
|
jpayne@68
|
44 [ \fB\-z | Z\fP ]
|
|
jpayne@68
|
45 [ \fB\-q\fP ]
|
|
jpayne@68
|
46 [ \fB\-e\fP \fIcommand\fP [ args ... ] ] [ \fB\-a\fP [ args ... ] ]
|
|
jpayne@68
|
47 .SH REQUIREMENTS
|
|
jpayne@68
|
48 .sp
|
|
jpayne@68
|
49 Must have Kerberos version 5 installed to compile ksu. Must have a
|
|
jpayne@68
|
50 Kerberos version 5 server running to use ksu.
|
|
jpayne@68
|
51 .SH DESCRIPTION
|
|
jpayne@68
|
52 .sp
|
|
jpayne@68
|
53 ksu is a Kerberized version of the su program that has two missions:
|
|
jpayne@68
|
54 one is to securely change the real and effective user ID to that of
|
|
jpayne@68
|
55 the target user, and the other is to create a new security context.
|
|
jpayne@68
|
56 .sp
|
|
jpayne@68
|
57 \fBNOTE:\fP
|
|
jpayne@68
|
58 .INDENT 0.0
|
|
jpayne@68
|
59 .INDENT 3.5
|
|
jpayne@68
|
60 For the sake of clarity, all references to and attributes of
|
|
jpayne@68
|
61 the user invoking the program will start with "source"
|
|
jpayne@68
|
62 (e.g., "source user", "source cache", etc.).
|
|
jpayne@68
|
63 .sp
|
|
jpayne@68
|
64 Likewise, all references to and attributes of the target
|
|
jpayne@68
|
65 account will start with "target".
|
|
jpayne@68
|
66 .UNINDENT
|
|
jpayne@68
|
67 .UNINDENT
|
|
jpayne@68
|
68 .SH AUTHENTICATION
|
|
jpayne@68
|
69 .sp
|
|
jpayne@68
|
70 To fulfill the first mission, ksu operates in two phases:
|
|
jpayne@68
|
71 authentication and authorization. Resolving the target principal name
|
|
jpayne@68
|
72 is the first step in authentication. The user can either specify his
|
|
jpayne@68
|
73 principal name with the \fB\-n\fP option (e.g., \fB\-n jqpublic@USC.EDU\fP)
|
|
jpayne@68
|
74 or a default principal name will be assigned using a heuristic
|
|
jpayne@68
|
75 described in the OPTIONS section (see \fB\-n\fP option). The target user
|
|
jpayne@68
|
76 name must be the first argument to ksu; if not specified root is the
|
|
jpayne@68
|
77 default. If \fB\&.\fP is specified then the target user will be the
|
|
jpayne@68
|
78 source user (e.g., \fBksu .\fP). If the source user is root or the
|
|
jpayne@68
|
79 target user is the source user, no authentication or authorization
|
|
jpayne@68
|
80 takes place. Otherwise, ksu looks for an appropriate Kerberos ticket
|
|
jpayne@68
|
81 in the source cache.
|
|
jpayne@68
|
82 .sp
|
|
jpayne@68
|
83 The ticket can either be for the end\-server or a ticket granting
|
|
jpayne@68
|
84 ticket (TGT) for the target principal\(aqs realm. If the ticket for the
|
|
jpayne@68
|
85 end\-server is already in the cache, it\(aqs decrypted and verified. If
|
|
jpayne@68
|
86 it\(aqs not in the cache but the TGT is, the TGT is used to obtain the
|
|
jpayne@68
|
87 ticket for the end\-server. The end\-server ticket is then verified.
|
|
jpayne@68
|
88 If neither ticket is in the cache, but ksu is compiled with the
|
|
jpayne@68
|
89 \fBGET_TGT_VIA_PASSWD\fP define, the user will be prompted for a
|
|
jpayne@68
|
90 Kerberos password which will then be used to get a TGT. If the user
|
|
jpayne@68
|
91 is logged in remotely and does not have a secure channel, the password
|
|
jpayne@68
|
92 may be exposed. If neither ticket is in the cache and
|
|
jpayne@68
|
93 \fBGET_TGT_VIA_PASSWD\fP is not defined, authentication fails.
|
|
jpayne@68
|
94 .SH AUTHORIZATION
|
|
jpayne@68
|
95 .sp
|
|
jpayne@68
|
96 This section describes authorization of the source user when ksu is
|
|
jpayne@68
|
97 invoked without the \fB\-e\fP option. For a description of the \fB\-e\fP
|
|
jpayne@68
|
98 option, see the OPTIONS section.
|
|
jpayne@68
|
99 .sp
|
|
jpayne@68
|
100 Upon successful authentication, ksu checks whether the target
|
|
jpayne@68
|
101 principal is authorized to access the target account. In the target
|
|
jpayne@68
|
102 user\(aqs home directory, ksu attempts to access two authorization files:
|
|
jpayne@68
|
103 \&.k5login(5) and .k5users. In the .k5login file each line
|
|
jpayne@68
|
104 contains the name of a principal that is authorized to access the
|
|
jpayne@68
|
105 account.
|
|
jpayne@68
|
106 .sp
|
|
jpayne@68
|
107 For example:
|
|
jpayne@68
|
108 .INDENT 0.0
|
|
jpayne@68
|
109 .INDENT 3.5
|
|
jpayne@68
|
110 .sp
|
|
jpayne@68
|
111 .nf
|
|
jpayne@68
|
112 .ft C
|
|
jpayne@68
|
113 jqpublic@USC.EDU
|
|
jpayne@68
|
114 jqpublic/secure@USC.EDU
|
|
jpayne@68
|
115 jqpublic/admin@USC.EDU
|
|
jpayne@68
|
116 .ft P
|
|
jpayne@68
|
117 .fi
|
|
jpayne@68
|
118 .UNINDENT
|
|
jpayne@68
|
119 .UNINDENT
|
|
jpayne@68
|
120 .sp
|
|
jpayne@68
|
121 The format of .k5users is the same, except the principal name may be
|
|
jpayne@68
|
122 followed by a list of commands that the principal is authorized to
|
|
jpayne@68
|
123 execute (see the \fB\-e\fP option in the OPTIONS section for details).
|
|
jpayne@68
|
124 .sp
|
|
jpayne@68
|
125 Thus if the target principal name is found in the .k5login file the
|
|
jpayne@68
|
126 source user is authorized to access the target account. Otherwise ksu
|
|
jpayne@68
|
127 looks in the .k5users file. If the target principal name is found
|
|
jpayne@68
|
128 without any trailing commands or followed only by \fB*\fP then the
|
|
jpayne@68
|
129 source user is authorized. If either .k5login or .k5users exist but
|
|
jpayne@68
|
130 an appropriate entry for the target principal does not exist then
|
|
jpayne@68
|
131 access is denied. If neither file exists then the principal will be
|
|
jpayne@68
|
132 granted access to the account according to the aname\->lname mapping
|
|
jpayne@68
|
133 rules. Otherwise, authorization fails.
|
|
jpayne@68
|
134 .SH EXECUTION OF THE TARGET SHELL
|
|
jpayne@68
|
135 .sp
|
|
jpayne@68
|
136 Upon successful authentication and authorization, ksu proceeds in a
|
|
jpayne@68
|
137 similar fashion to su. The environment is unmodified with the
|
|
jpayne@68
|
138 exception of USER, HOME and SHELL variables. If the target user is
|
|
jpayne@68
|
139 not root, USER gets set to the target user name. Otherwise USER
|
|
jpayne@68
|
140 remains unchanged. Both HOME and SHELL are set to the target login\(aqs
|
|
jpayne@68
|
141 default values. In addition, the environment variable \fBKRB5CCNAME\fP
|
|
jpayne@68
|
142 gets set to the name of the target cache. The real and effective user
|
|
jpayne@68
|
143 ID are changed to that of the target user. The target user\(aqs shell is
|
|
jpayne@68
|
144 then invoked (the shell name is specified in the password file). Upon
|
|
jpayne@68
|
145 termination of the shell, ksu deletes the target cache (unless ksu is
|
|
jpayne@68
|
146 invoked with the \fB\-k\fP option). This is implemented by first doing a
|
|
jpayne@68
|
147 fork and then an exec, instead of just exec, as done by su.
|
|
jpayne@68
|
148 .SH CREATING A NEW SECURITY CONTEXT
|
|
jpayne@68
|
149 .sp
|
|
jpayne@68
|
150 ksu can be used to create a new security context for the target
|
|
jpayne@68
|
151 program (either the target shell, or command specified via the \fB\-e\fP
|
|
jpayne@68
|
152 option). The target program inherits a set of credentials from the
|
|
jpayne@68
|
153 source user. By default, this set includes all of the credentials in
|
|
jpayne@68
|
154 the source cache plus any additional credentials obtained during
|
|
jpayne@68
|
155 authentication. The source user is able to limit the credentials in
|
|
jpayne@68
|
156 this set by using \fB\-z\fP or \fB\-Z\fP option. \fB\-z\fP restricts the copy
|
|
jpayne@68
|
157 of tickets from the source cache to the target cache to only the
|
|
jpayne@68
|
158 tickets where client == the target principal name. The \fB\-Z\fP option
|
|
jpayne@68
|
159 provides the target user with a fresh target cache (no creds in the
|
|
jpayne@68
|
160 cache). Note that for security reasons, when the source user is root
|
|
jpayne@68
|
161 and target user is non\-root, \fB\-z\fP option is the default mode of
|
|
jpayne@68
|
162 operation.
|
|
jpayne@68
|
163 .sp
|
|
jpayne@68
|
164 While no authentication takes place if the source user is root or is
|
|
jpayne@68
|
165 the same as the target user, additional tickets can still be obtained
|
|
jpayne@68
|
166 for the target cache. If \fB\-n\fP is specified and no credentials can
|
|
jpayne@68
|
167 be copied to the target cache, the source user is prompted for a
|
|
jpayne@68
|
168 Kerberos password (unless \fB\-Z\fP specified or \fBGET_TGT_VIA_PASSWD\fP
|
|
jpayne@68
|
169 is undefined). If successful, a TGT is obtained from the Kerberos
|
|
jpayne@68
|
170 server and stored in the target cache. Otherwise, if a password is
|
|
jpayne@68
|
171 not provided (user hit return) ksu continues in a normal mode of
|
|
jpayne@68
|
172 operation (the target cache will not contain the desired TGT). If the
|
|
jpayne@68
|
173 wrong password is typed in, ksu fails.
|
|
jpayne@68
|
174 .sp
|
|
jpayne@68
|
175 \fBNOTE:\fP
|
|
jpayne@68
|
176 .INDENT 0.0
|
|
jpayne@68
|
177 .INDENT 3.5
|
|
jpayne@68
|
178 During authentication, only the tickets that could be
|
|
jpayne@68
|
179 obtained without providing a password are cached in the
|
|
jpayne@68
|
180 source cache.
|
|
jpayne@68
|
181 .UNINDENT
|
|
jpayne@68
|
182 .UNINDENT
|
|
jpayne@68
|
183 .SH OPTIONS
|
|
jpayne@68
|
184 .INDENT 0.0
|
|
jpayne@68
|
185 .TP
|
|
jpayne@68
|
186 \fB\-n\fP \fItarget_principal_name\fP
|
|
jpayne@68
|
187 Specify a Kerberos target principal name. Used in authentication
|
|
jpayne@68
|
188 and authorization phases of ksu.
|
|
jpayne@68
|
189 .sp
|
|
jpayne@68
|
190 If ksu is invoked without \fB\-n\fP, a default principal name is
|
|
jpayne@68
|
191 assigned via the following heuristic:
|
|
jpayne@68
|
192 .INDENT 7.0
|
|
jpayne@68
|
193 .IP \(bu 2
|
|
jpayne@68
|
194 Case 1: source user is non\-root.
|
|
jpayne@68
|
195 .sp
|
|
jpayne@68
|
196 If the target user is the source user the default principal name
|
|
jpayne@68
|
197 is set to the default principal of the source cache. If the
|
|
jpayne@68
|
198 cache does not exist then the default principal name is set to
|
|
jpayne@68
|
199 \fBtarget_user@local_realm\fP\&. If the source and target users are
|
|
jpayne@68
|
200 different and neither \fB~target_user/.k5users\fP nor
|
|
jpayne@68
|
201 \fB~target_user/.k5login\fP exist then the default principal name
|
|
jpayne@68
|
202 is \fBtarget_user_login_name@local_realm\fP\&. Otherwise, starting
|
|
jpayne@68
|
203 with the first principal listed below, ksu checks if the
|
|
jpayne@68
|
204 principal is authorized to access the target account and whether
|
|
jpayne@68
|
205 there is a legitimate ticket for that principal in the source
|
|
jpayne@68
|
206 cache. If both conditions are met that principal becomes the
|
|
jpayne@68
|
207 default target principal, otherwise go to the next principal.
|
|
jpayne@68
|
208 .INDENT 2.0
|
|
jpayne@68
|
209 .IP a. 3
|
|
jpayne@68
|
210 default principal of the source cache
|
|
jpayne@68
|
211 .IP b. 3
|
|
jpayne@68
|
212 target_user@local_realm
|
|
jpayne@68
|
213 .IP c. 3
|
|
jpayne@68
|
214 source_user@local_realm
|
|
jpayne@68
|
215 .UNINDENT
|
|
jpayne@68
|
216 .sp
|
|
jpayne@68
|
217 If a\-c fails try any principal for which there is a ticket in
|
|
jpayne@68
|
218 the source cache and that is authorized to access the target
|
|
jpayne@68
|
219 account. If that fails select the first principal that is
|
|
jpayne@68
|
220 authorized to access the target account from the above list. If
|
|
jpayne@68
|
221 none are authorized and ksu is configured with
|
|
jpayne@68
|
222 \fBPRINC_LOOK_AHEAD\fP turned on, select the default principal as
|
|
jpayne@68
|
223 follows:
|
|
jpayne@68
|
224 .sp
|
|
jpayne@68
|
225 For each candidate in the above list, select an authorized
|
|
jpayne@68
|
226 principal that has the same realm name and first part of the
|
|
jpayne@68
|
227 principal name equal to the prefix of the candidate. For
|
|
jpayne@68
|
228 example if candidate a) is \fBjqpublic@ISI.EDU\fP and
|
|
jpayne@68
|
229 \fBjqpublic/secure@ISI.EDU\fP is authorized to access the target
|
|
jpayne@68
|
230 account then the default principal is set to
|
|
jpayne@68
|
231 \fBjqpublic/secure@ISI.EDU\fP\&.
|
|
jpayne@68
|
232 .IP \(bu 2
|
|
jpayne@68
|
233 Case 2: source user is root.
|
|
jpayne@68
|
234 .sp
|
|
jpayne@68
|
235 If the target user is non\-root then the default principal name
|
|
jpayne@68
|
236 is \fBtarget_user@local_realm\fP\&. Else, if the source cache
|
|
jpayne@68
|
237 exists the default principal name is set to the default
|
|
jpayne@68
|
238 principal of the source cache. If the source cache does not
|
|
jpayne@68
|
239 exist, default principal name is set to \fBroot\e@local_realm\fP\&.
|
|
jpayne@68
|
240 .UNINDENT
|
|
jpayne@68
|
241 .UNINDENT
|
|
jpayne@68
|
242 .sp
|
|
jpayne@68
|
243 \fB\-c\fP \fIsource_cache_name\fP
|
|
jpayne@68
|
244 .INDENT 0.0
|
|
jpayne@68
|
245 .INDENT 3.5
|
|
jpayne@68
|
246 Specify source cache name (e.g., \fB\-c FILE:/tmp/my_cache\fP). If
|
|
jpayne@68
|
247 \fB\-c\fP option is not used then the name is obtained from
|
|
jpayne@68
|
248 \fBKRB5CCNAME\fP environment variable. If \fBKRB5CCNAME\fP is not
|
|
jpayne@68
|
249 defined the source cache name is set to \fBkrb5cc_<source uid>\fP\&.
|
|
jpayne@68
|
250 The target cache name is automatically set to \fBkrb5cc_<target
|
|
jpayne@68
|
251 uid>.(gen_sym())\fP, where gen_sym generates a new number such that
|
|
jpayne@68
|
252 the resulting cache does not already exist. For example:
|
|
jpayne@68
|
253 .INDENT 0.0
|
|
jpayne@68
|
254 .INDENT 3.5
|
|
jpayne@68
|
255 .sp
|
|
jpayne@68
|
256 .nf
|
|
jpayne@68
|
257 .ft C
|
|
jpayne@68
|
258 krb5cc_1984.2
|
|
jpayne@68
|
259 .ft P
|
|
jpayne@68
|
260 .fi
|
|
jpayne@68
|
261 .UNINDENT
|
|
jpayne@68
|
262 .UNINDENT
|
|
jpayne@68
|
263 .UNINDENT
|
|
jpayne@68
|
264 .UNINDENT
|
|
jpayne@68
|
265 .INDENT 0.0
|
|
jpayne@68
|
266 .TP
|
|
jpayne@68
|
267 \fB\-k\fP
|
|
jpayne@68
|
268 Do not delete the target cache upon termination of the target
|
|
jpayne@68
|
269 shell or a command (\fB\-e\fP command). Without \fB\-k\fP, ksu deletes
|
|
jpayne@68
|
270 the target cache.
|
|
jpayne@68
|
271 .TP
|
|
jpayne@68
|
272 \fB\-z\fP
|
|
jpayne@68
|
273 Restrict the copy of tickets from the source cache to the target
|
|
jpayne@68
|
274 cache to only the tickets where client == the target principal
|
|
jpayne@68
|
275 name. Use the \fB\-n\fP option if you want the tickets for other then
|
|
jpayne@68
|
276 the default principal. Note that the \fB\-z\fP option is mutually
|
|
jpayne@68
|
277 exclusive with the \fB\-Z\fP option.
|
|
jpayne@68
|
278 .TP
|
|
jpayne@68
|
279 \fB\-Z\fP
|
|
jpayne@68
|
280 Don\(aqt copy any tickets from the source cache to the target cache.
|
|
jpayne@68
|
281 Just create a fresh target cache, where the default principal name
|
|
jpayne@68
|
282 of the cache is initialized to the target principal name. Note
|
|
jpayne@68
|
283 that the \fB\-Z\fP option is mutually exclusive with the \fB\-z\fP
|
|
jpayne@68
|
284 option.
|
|
jpayne@68
|
285 .TP
|
|
jpayne@68
|
286 \fB\-q\fP
|
|
jpayne@68
|
287 Suppress the printing of status messages.
|
|
jpayne@68
|
288 .UNINDENT
|
|
jpayne@68
|
289 .sp
|
|
jpayne@68
|
290 Ticket granting ticket options:
|
|
jpayne@68
|
291 .INDENT 0.0
|
|
jpayne@68
|
292 .TP
|
|
jpayne@68
|
293 \fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-p\fP \fB\-P\fP \fB\-f\fP \fB\-F\fP
|
|
jpayne@68
|
294 The ticket granting ticket options only apply to the case where
|
|
jpayne@68
|
295 there are no appropriate tickets in the cache to authenticate the
|
|
jpayne@68
|
296 source user. In this case if ksu is configured to prompt users
|
|
jpayne@68
|
297 for a Kerberos password (\fBGET_TGT_VIA_PASSWD\fP is defined), the
|
|
jpayne@68
|
298 ticket granting ticket options that are specified will be used
|
|
jpayne@68
|
299 when getting a ticket granting ticket from the Kerberos server.
|
|
jpayne@68
|
300 .TP
|
|
jpayne@68
|
301 \fB\-l\fP \fIlifetime\fP
|
|
jpayne@68
|
302 (duration string.) Specifies the lifetime to be requested
|
|
jpayne@68
|
303 for the ticket; if this option is not specified, the default ticket
|
|
jpayne@68
|
304 lifetime (12 hours) is used instead.
|
|
jpayne@68
|
305 .TP
|
|
jpayne@68
|
306 \fB\-r\fP \fItime\fP
|
|
jpayne@68
|
307 (duration string.) Specifies that the \fBrenewable\fP option
|
|
jpayne@68
|
308 should be requested for the ticket, and specifies the desired
|
|
jpayne@68
|
309 total lifetime of the ticket.
|
|
jpayne@68
|
310 .TP
|
|
jpayne@68
|
311 \fB\-p\fP
|
|
jpayne@68
|
312 specifies that the \fBproxiable\fP option should be requested for
|
|
jpayne@68
|
313 the ticket.
|
|
jpayne@68
|
314 .TP
|
|
jpayne@68
|
315 \fB\-P\fP
|
|
jpayne@68
|
316 specifies that the \fBproxiable\fP option should not be requested
|
|
jpayne@68
|
317 for the ticket, even if the default configuration is to ask for
|
|
jpayne@68
|
318 proxiable tickets.
|
|
jpayne@68
|
319 .TP
|
|
jpayne@68
|
320 \fB\-f\fP
|
|
jpayne@68
|
321 option specifies that the \fBforwardable\fP option should be
|
|
jpayne@68
|
322 requested for the ticket.
|
|
jpayne@68
|
323 .TP
|
|
jpayne@68
|
324 \fB\-F\fP
|
|
jpayne@68
|
325 option specifies that the \fBforwardable\fP option should not be
|
|
jpayne@68
|
326 requested for the ticket, even if the default configuration is to
|
|
jpayne@68
|
327 ask for forwardable tickets.
|
|
jpayne@68
|
328 .TP
|
|
jpayne@68
|
329 \fB\-e\fP \fIcommand\fP [\fIargs\fP ...]
|
|
jpayne@68
|
330 ksu proceeds exactly the same as if it was invoked without the
|
|
jpayne@68
|
331 \fB\-e\fP option, except instead of executing the target shell, ksu
|
|
jpayne@68
|
332 executes the specified command. Example of usage:
|
|
jpayne@68
|
333 .INDENT 7.0
|
|
jpayne@68
|
334 .INDENT 3.5
|
|
jpayne@68
|
335 .sp
|
|
jpayne@68
|
336 .nf
|
|
jpayne@68
|
337 .ft C
|
|
jpayne@68
|
338 ksu bob \-e ls \-lag
|
|
jpayne@68
|
339 .ft P
|
|
jpayne@68
|
340 .fi
|
|
jpayne@68
|
341 .UNINDENT
|
|
jpayne@68
|
342 .UNINDENT
|
|
jpayne@68
|
343 .sp
|
|
jpayne@68
|
344 The authorization algorithm for \fB\-e\fP is as follows:
|
|
jpayne@68
|
345 .sp
|
|
jpayne@68
|
346 If the source user is root or source user == target user, no
|
|
jpayne@68
|
347 authorization takes place and the command is executed. If source
|
|
jpayne@68
|
348 user id != 0, and \fB~target_user/.k5users\fP file does not exist,
|
|
jpayne@68
|
349 authorization fails. Otherwise, \fB~target_user/.k5users\fP file
|
|
jpayne@68
|
350 must have an appropriate entry for target principal to get
|
|
jpayne@68
|
351 authorized.
|
|
jpayne@68
|
352 .sp
|
|
jpayne@68
|
353 The .k5users file format:
|
|
jpayne@68
|
354 .sp
|
|
jpayne@68
|
355 A single principal entry on each line that may be followed by a
|
|
jpayne@68
|
356 list of commands that the principal is authorized to execute. A
|
|
jpayne@68
|
357 principal name followed by a \fB*\fP means that the user is
|
|
jpayne@68
|
358 authorized to execute any command. Thus, in the following
|
|
jpayne@68
|
359 example:
|
|
jpayne@68
|
360 .INDENT 7.0
|
|
jpayne@68
|
361 .INDENT 3.5
|
|
jpayne@68
|
362 .sp
|
|
jpayne@68
|
363 .nf
|
|
jpayne@68
|
364 .ft C
|
|
jpayne@68
|
365 jqpublic@USC.EDU ls mail /local/kerberos/klist
|
|
jpayne@68
|
366 jqpublic/secure@USC.EDU *
|
|
jpayne@68
|
367 jqpublic/admin@USC.EDU
|
|
jpayne@68
|
368 .ft P
|
|
jpayne@68
|
369 .fi
|
|
jpayne@68
|
370 .UNINDENT
|
|
jpayne@68
|
371 .UNINDENT
|
|
jpayne@68
|
372 .sp
|
|
jpayne@68
|
373 \fBjqpublic@USC.EDU\fP is only authorized to execute \fBls\fP,
|
|
jpayne@68
|
374 \fBmail\fP and \fBklist\fP commands. \fBjqpublic/secure@USC.EDU\fP is
|
|
jpayne@68
|
375 authorized to execute any command. \fBjqpublic/admin@USC.EDU\fP is
|
|
jpayne@68
|
376 not authorized to execute any command. Note, that
|
|
jpayne@68
|
377 \fBjqpublic/admin@USC.EDU\fP is authorized to execute the target
|
|
jpayne@68
|
378 shell (regular ksu, without the \fB\-e\fP option) but
|
|
jpayne@68
|
379 \fBjqpublic@USC.EDU\fP is not.
|
|
jpayne@68
|
380 .sp
|
|
jpayne@68
|
381 The commands listed after the principal name must be either a full
|
|
jpayne@68
|
382 path names or just the program name. In the second case,
|
|
jpayne@68
|
383 \fBCMD_PATH\fP specifying the location of authorized programs must
|
|
jpayne@68
|
384 be defined at the compilation time of ksu. Which command gets
|
|
jpayne@68
|
385 executed?
|
|
jpayne@68
|
386 .sp
|
|
jpayne@68
|
387 If the source user is root or the target user is the source user
|
|
jpayne@68
|
388 or the user is authorized to execute any command (\fB*\fP entry)
|
|
jpayne@68
|
389 then command can be either a full or a relative path leading to
|
|
jpayne@68
|
390 the target program. Otherwise, the user must specify either a
|
|
jpayne@68
|
391 full path or just the program name.
|
|
jpayne@68
|
392 .TP
|
|
jpayne@68
|
393 \fB\-a\fP \fIargs\fP
|
|
jpayne@68
|
394 Specify arguments to be passed to the target shell. Note that all
|
|
jpayne@68
|
395 flags and parameters following \-a will be passed to the shell,
|
|
jpayne@68
|
396 thus all options intended for ksu must precede \fB\-a\fP\&.
|
|
jpayne@68
|
397 .sp
|
|
jpayne@68
|
398 The \fB\-a\fP option can be used to simulate the \fB\-e\fP option if
|
|
jpayne@68
|
399 used as follows:
|
|
jpayne@68
|
400 .INDENT 7.0
|
|
jpayne@68
|
401 .INDENT 3.5
|
|
jpayne@68
|
402 .sp
|
|
jpayne@68
|
403 .nf
|
|
jpayne@68
|
404 .ft C
|
|
jpayne@68
|
405 \-a \-c [command [arguments]].
|
|
jpayne@68
|
406 .ft P
|
|
jpayne@68
|
407 .fi
|
|
jpayne@68
|
408 .UNINDENT
|
|
jpayne@68
|
409 .UNINDENT
|
|
jpayne@68
|
410 .sp
|
|
jpayne@68
|
411 \fB\-c\fP is interpreted by the c\-shell to execute the command.
|
|
jpayne@68
|
412 .UNINDENT
|
|
jpayne@68
|
413 .SH INSTALLATION INSTRUCTIONS
|
|
jpayne@68
|
414 .sp
|
|
jpayne@68
|
415 ksu can be compiled with the following four flags:
|
|
jpayne@68
|
416 .INDENT 0.0
|
|
jpayne@68
|
417 .TP
|
|
jpayne@68
|
418 \fBGET_TGT_VIA_PASSWD\fP
|
|
jpayne@68
|
419 In case no appropriate tickets are found in the source cache, the
|
|
jpayne@68
|
420 user will be prompted for a Kerberos password. The password is
|
|
jpayne@68
|
421 then used to get a ticket granting ticket from the Kerberos
|
|
jpayne@68
|
422 server. The danger of configuring ksu with this macro is if the
|
|
jpayne@68
|
423 source user is logged in remotely and does not have a secure
|
|
jpayne@68
|
424 channel, the password may get exposed.
|
|
jpayne@68
|
425 .TP
|
|
jpayne@68
|
426 \fBPRINC_LOOK_AHEAD\fP
|
|
jpayne@68
|
427 During the resolution of the default principal name,
|
|
jpayne@68
|
428 \fBPRINC_LOOK_AHEAD\fP enables ksu to find principal names in
|
|
jpayne@68
|
429 the .k5users file as described in the OPTIONS section
|
|
jpayne@68
|
430 (see \fB\-n\fP option).
|
|
jpayne@68
|
431 .TP
|
|
jpayne@68
|
432 \fBCMD_PATH\fP
|
|
jpayne@68
|
433 Specifies a list of directories containing programs that users are
|
|
jpayne@68
|
434 authorized to execute (via .k5users file).
|
|
jpayne@68
|
435 .TP
|
|
jpayne@68
|
436 \fBHAVE_GETUSERSHELL\fP
|
|
jpayne@68
|
437 If the source user is non\-root, ksu insists that the target user\(aqs
|
|
jpayne@68
|
438 shell to be invoked is a "legal shell". \fIgetusershell(3)\fP is
|
|
jpayne@68
|
439 called to obtain the names of "legal shells". Note that the
|
|
jpayne@68
|
440 target user\(aqs shell is obtained from the passwd file.
|
|
jpayne@68
|
441 .UNINDENT
|
|
jpayne@68
|
442 .sp
|
|
jpayne@68
|
443 Sample configuration:
|
|
jpayne@68
|
444 .INDENT 0.0
|
|
jpayne@68
|
445 .INDENT 3.5
|
|
jpayne@68
|
446 .sp
|
|
jpayne@68
|
447 .nf
|
|
jpayne@68
|
448 .ft C
|
|
jpayne@68
|
449 KSU_OPTS = \-DGET_TGT_VIA_PASSWD \-DPRINC_LOOK_AHEAD \-DCMD_PATH=\(aq"/bin /usr/ucb /local/bin"
|
|
jpayne@68
|
450 .ft P
|
|
jpayne@68
|
451 .fi
|
|
jpayne@68
|
452 .UNINDENT
|
|
jpayne@68
|
453 .UNINDENT
|
|
jpayne@68
|
454 .sp
|
|
jpayne@68
|
455 ksu should be owned by root and have the set user id bit turned on.
|
|
jpayne@68
|
456 .sp
|
|
jpayne@68
|
457 ksu attempts to get a ticket for the end server just as Kerberized
|
|
jpayne@68
|
458 telnet and rlogin. Thus, there must be an entry for the server in the
|
|
jpayne@68
|
459 Kerberos database (e.g., \fBhost/nii.isi.edu@ISI.EDU\fP). The keytab
|
|
jpayne@68
|
460 file must be in an appropriate location.
|
|
jpayne@68
|
461 .SH SIDE EFFECTS
|
|
jpayne@68
|
462 .sp
|
|
jpayne@68
|
463 ksu deletes all expired tickets from the source cache.
|
|
jpayne@68
|
464 .SH AUTHOR OF KSU
|
|
jpayne@68
|
465 .sp
|
|
jpayne@68
|
466 GENNADY (ARI) MEDVINSKY
|
|
jpayne@68
|
467 .SH ENVIRONMENT
|
|
jpayne@68
|
468 .sp
|
|
jpayne@68
|
469 See kerberos(7) for a description of Kerberos environment
|
|
jpayne@68
|
470 variables.
|
|
jpayne@68
|
471 .SH SEE ALSO
|
|
jpayne@68
|
472 .sp
|
|
jpayne@68
|
473 kerberos(7), kinit(1)
|
|
jpayne@68
|
474 .SH AUTHOR
|
|
jpayne@68
|
475 MIT
|
|
jpayne@68
|
476 .SH COPYRIGHT
|
|
jpayne@68
|
477 1985-2022, MIT
|
|
jpayne@68
|
478 .\" Generated by docutils manpage writer.
|
|
jpayne@68
|
479 .
|
