You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
105 lines
2.9 KiB
105 lines
2.9 KiB
.TH US.CONF 5 "JULY 2021" "Alessandro Mauri"
|
|
|
|
.SH NAME
|
|
us.conf \- us configuration file
|
|
|
|
.SH DESCRIPTION
|
|
.PP
|
|
The
|
|
.BR us(1)
|
|
utility executes commands as another identity according to the rules in the
|
|
.BR us.conf
|
|
configuration file.
|
|
.PP
|
|
The rules have the following format:
|
|
.IP
|
|
.BR "+|\-"
|
|
.BR user
|
|
as
|
|
.BR target
|
|
.OP options
|
|
.OP ENV
|
|
.SS Options
|
|
Possible options are:
|
|
.IP nopass
|
|
The user is not required to enter a password.
|
|
.IP persist
|
|
Once entering the password for the first time, a timer for five minutes is
|
|
started, during those five minutes the user is not required to re-enter
|
|
the password for that session. Re-invoking us resets that timer.
|
|
.IP nolog
|
|
Do not log to
|
|
.BR syslog(2)
|
|
command outcome
|
|
.PP
|
|
The sum of matching rules determines the action taken, if no rules match
|
|
the action is denied.
|
|
.PP
|
|
Comments are made by having the first non-blank character of a line be an hash
|
|
mark ('#'), comments take up the whole line and cannot be embedded in the
|
|
middle of a line.
|
|
.PP
|
|
A valid user or target is an alphanumeric string containing the name of the
|
|
target. If the target is a user, the string begins with [0-9A-z]; if the
|
|
target is a group then the has to begin with ':'. Instead of the name of the
|
|
user/group it's number can be used, in that case the part of the string that
|
|
would contain the name must begin with '#' (so after a possible ':').
|
|
.PP
|
|
As options a comma separated list of environment variables can be specified,
|
|
these will be added or will override existing environment variables during
|
|
execution of the command. A valid environment variable list starts with an
|
|
uppercase letter and ends at the next space.
|
|
.PP
|
|
A valid config line must be owned by root:root and should not be readable,
|
|
writable or executable for any other user or group, in other words the best
|
|
file permissions for the config file are
|
|
.BR 660
|
|
if the config file fails to meet this requirements it will get rejected and
|
|
invocation will fail.
|
|
|
|
.SH FILES
|
|
.IP /etc/us.conf
|
|
us(1) configuration file
|
|
|
|
.SH EXAMPLES
|
|
.PP
|
|
The following example will allow root to execute commands as itself without
|
|
requiring a password and without logging:
|
|
.PP
|
|
.EX
|
|
+ root as root nopass nolog
|
|
.EE
|
|
.PP
|
|
This next example allows users in the wheel group to execute commands as
|
|
root including a new environment variable IS_WHEEL set to 'yes' and the variable
|
|
EDITOR will be set to ed, the standard unix editor:
|
|
.PP
|
|
.EX
|
|
+ :wheel as root IS_WHEEL=yes,EDITOR=ed
|
|
.EE
|
|
.PP
|
|
In this example the user maria is allowed to execute commands as a member of
|
|
the group wheel and the session is remembered so that in the next five
|
|
minutes the password won't be needed:
|
|
.PP
|
|
.EX
|
|
+ maria as :wheel persist
|
|
.EE
|
|
.PP
|
|
This time the user joe is denied to execute commands as anyone who's member of
|
|
the group 'coolppl' because joe is uncool
|
|
.PP
|
|
.EX
|
|
- joe as :coolppl
|
|
.EE
|
|
|
|
.SH LIMITATIONS
|
|
.PP
|
|
Due to the way the environment is parsed, neither the name nor the value can
|
|
contain commas.
|
|
|
|
.SH "SEE ALSO"
|
|
.BR us(1)
|
|
|
|
.SH AUTHOR
|
|
Alessandro Mauri <alemauri001@tuta.io>
|
|
|