1 <?xml version="1.0" encoding="UTF-8"?>
3 Copyright (c) 1996 , Marek Michałkiewicz
4 Copyright (c) 2001 - 2006, Tomasz Kłoczko
7 Redistribution and use in source and binary forms, with or without
8 modification, are permitted provided that the following conditions
10 1. Redistributions of source code must retain the above copyright
11 notice, this list of conditions and the following disclaimer.
12 2. Redistributions in binary form must reproduce the above copyright
13 notice, this list of conditions and the following disclaimer in the
14 documentation and/or other materials provided with the distribution.
15 3. The name of the copyright holders or contributors may not be used to
16 endorse or promote products derived from this software without
17 specific prior written permission.
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
22 PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
23 HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
25 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 <refentry id='suauth.5'>
32 <!-- $Id: suauth.5.xml 2435 2008-10-11 11:44:43Z nekral-guest $ -->
34 <refentrytitle>suauth</refentrytitle>
35 <manvolnum>5</manvolnum>
36 <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
38 <refnamediv id='name'>
39 <refname>suauth</refname>
40 <refpurpose>detailed su control file</refpurpose>
42 <!-- body begins here -->
43 <refsynopsisdiv id='synopsis'>
45 <command>/etc/suauth</command>
49 <refsect1 id='description'>
50 <title>DESCRIPTION</title>
52 The file <filename>/etc/suauth</filename> is referenced whenever the
53 su command is called. It can change the behaviour of the su command,
58 <literallayout remap='.nf'>
59 1) the user su is targetting
63 2) the user executing the su command (or any groups he might be
68 The file is formatted like this, with lines starting with a # being
69 treated as comment lines and ignored;
72 <literallayout remap='RS'>
77 Where to-id is either the word <emphasis>ALL</emphasis>, a list of
78 usernames delimited by "," or the words <emphasis>ALL
79 EXCEPT</emphasis> followed by a list of usernames delimited by ","
83 from-id is formatted the same as to-id except the extra word
84 <emphasis>GROUP</emphasis> is recognised. <emphasis>ALL EXCEPT
85 GROUP</emphasis> is perfectly valid too. Following
86 <emphasis>GROUP</emphasis> appears one or more group names, delimited
87 by ",". It is not sufficient to have primary group id of the relevant
89 <citerefentry><refentrytitle>/etc/group</refentrytitle>
90 <manvolnum>5</manvolnum></citerefentry> is neccessary.
94 Action can be one only of the following currently supported options.
96 <variablelist remap='TP'>
99 <emphasis>DENY</emphasis>
102 <para>The attempt to su is stopped before a password is
109 <emphasis>NOPASS</emphasis>
113 The attempt to su is automatically successful; no password is
120 <emphasis>OWNPASS</emphasis>
124 For the su command to be successful, the user must enter his or
125 her own password. They are told this.
132 Note there are three separate fields delimited by a colon. No
133 whitespace must surround this colon. Also note that the file is
134 examined sequentially line by line, and the first applicable rule is
135 used without examining the file further. This makes it possible for a
136 system administrator to exercise as fine control as he or she wishes.
140 <refsect1 id='example'>
141 <title>EXAMPLE</title>
142 <literallayout remap='.nf'>
143 # sample /etc/suauth file
145 # A couple of privileged usernames may
146 # su to root with their own password.
148 root:chris,birddog:OWNPASS
150 # Anyone else may not su to root unless in
151 # group wheel. This is how BSD does things.
153 root:ALL EXCEPT GROUP wheel:DENY
155 # Perhaps terry and birddog are accounts
156 # owned by the same person.
157 # Access can be arranged between them
167 <refsect1 id='files'>
171 <term><filename>/etc/suauth</filename></term>
172 <listitem><para></para></listitem>
180 There could be plenty lurking. The file parser is particularly
181 unforgiving about syntax errors, expecting no spurious whitespace
182 (apart from beginning and end of lines), and a specific token
183 delimiting different things.
187 <refsect1 id='diagnostics'>
188 <title>DIAGNOSTICS</title>
190 An error parsing the file is reported using
191 <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
192 as level ERR on facility AUTH.
196 <refsect1 id='see_also'>
197 <title>SEE ALSO</title>
200 <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>