-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpriv.1
247 lines (247 loc) · 6.17 KB
/
priv.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
.\" Copyright (c) 1996, 1997 Simon Burge <simonb@telstra.com.au>.
.\" All rights reserved.
.\" Portions Copyright (c) 1997 Luke Mewburn <lukem@connect.com.au>
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software developed by Simon Burge, Werj.
.\" 4. The name of the author may not be used to endorse or promote products
.\" derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\"
.TH PRIV 1 "February 19 1997"
.SH NAME
priv \- execute commands as a different user
.SH SYNOPSIS
.B priv
.I command
.RI [ arguments\c
]
.SH DESCRIPTION
.I priv
allows authorised users to execute commands that run as different
users.
.PP
When
.I priv
is invoked, it reads a list of authorised commands from a database
file called
.B /usr/local/etc/priv/\fRusername\fP.
Each line of the database file is a colon-seperated list of fields.
The first two fields must be specified.
Blank lines or lines beginning with a ``#'' character are ignored.
The fields, in order, are:
.PP
.PD 0
.IP
expiry date
.IP
user name to run command as
.IP
flags
.IP
command name
.PD
.PP
The format of the expiry date is YYYYMMDDhhmm. A date of ``0'' is
interpreted as no expiry date.
.PP
The flags field is an integer that contains the following bits:
.PP
.PD 0
.IP
F_SETUID 0000001 allow set-[gu]id programs to run
.IP
F_SYMLINK 0000002 allow symlink as command run
.IP
F_BASENAME 0000004 only check basename of command
.IP
F_LOGLS 0000010 do an 'ls' of the command run
.IP
F_LOGCWD 0000020 log working directory
.IP
F_LOGCMD 0000040 log full command name
.IP
F_LOGTTY 0000100 log user's terminal
.IP
F_BINPATH 0000200 allow any command in given path
.IP
F_GIVEREASON 0000400 ask for reason for running priv
.IP
F_CLEANENV 0001000 reset environment first
.IP
F_SU 0100000 check su to an account
.PD
.PP
The
.I F_SU
flag enables
.I priv
to authorise an
.IR "su" (8)
command.
In this case, the user name field is the user to
.I su
to, and the command name is ignored.
There should be a link from either
.I su<user>
or
.I su-<user>
to perform an ``su user'' or ``su - user'' as required.
If ``-c command'' is given as arguments to this, then it
is appended to the
.I su
command line.
.PP
The command name may either be a fully qualified path name, or the
command will be run from the user's path.
If the command name is left blank, then the user is allowed to run
.I any
command.
If there is a blank command line in the database file, it should
be placed last.
.PP
If the
.I F_BINPATH
flag is given, then the command name in the configuration file will
be taken as a directory from which any command is valid. If
.I F_BASENAME
is also given, the fully qualified path name won't be necessary.
.PP
The following security precautions are taken before
.IR "execve" (3)ing
.IR "command" :
.TP
1.
All file descriptors except 0 (stdin), 1 (stdout) and 2 (stderr)
are closed.
.TP
2.
All signal handling is reset to the default handlers (refer to
.IR "signal" (3)).
.TP
3.
If
.I F_CLEANENV
is specified, all environment variables are discarded, and the
following are defined:
.IP
.B "COLUMNS"
and
.BR "LINES" :
set to the original values of
.B COLUMNS
and
.B LINES
(respectively) if they only contain numbers.
Otherwise discarded.
.IP
.BR "HOME" :
set to the home directory of the target user.
.IP
.BR "IFS" :
set to space, tab and newline.
.IP
.B "LOGNAME"
and
.BR "USER" :
set to the username of the target user.
.IP
.BR "ORIG_HOME" ,
.BR "ORIG_LOGNAME"
and
.BR "ORIG_USER" :
set to the original values of
.BR "HOME" ,
.BR "LOGNAME"
and
.BR "USER"
respectively.
.IP
.BR "PATH" :
set to
.IR "/bin:/usr/bin" .
.IP
.BR "PRIVCMD" :
set to the command that was executed.
.IP
.BR "SHELL" :
set to
.IR "/bin/sh" .
.IP
.BR "TERM" :
set to the original value of
.B TERM
if it only contains characters
in the set [0-9a-zA-Z-+_.].
Otherwise set to
.IR "dumb" .
.PP
.I priv
logs all activity via
.IR "syslog" (3)
using the
.I LOG_AUTH
facility.
All failures contain the string
.I \fR``\fPnot ok\fR''\fP .
.SH FILES
.PD 0
.TP 20
/usr/local/etc/priv
The database directory.
.PD
.SH SEE ALSO
.IR "execve" (3),
.IR "signal" (3),
.IR "su" (1)
.SH BUGS
When
.I priv
searchs the
.B PATH
environment variable for a command to run, the checks
are made as the effective user that
.I priv
runs as (root).
Be aware of this when setting permissions on a program.
.SH AUTHORS
Simon Burge <simonb@telstra.com.au> wrote this version
of
.IR "priv" ,
with various enhancements provided by
Luke Mewburn <lukem@connect.com.au>.
.SH HISTORY
A command called
.I priv
was written by Ron Kuris in December 1988, and later modified by
Dan Busarow, DPC Systems, in November 1991.
.PP
This version of
.I priv
bears little resemblence to the original command, but keeps the same
name because Simon likes it.
.PP
Some features (such as
.IR "F_CLEANENV" )
were inspired by similar functionality in
.IR super ,
which was written by Will Deich <will@astro.caltech.edu>.