su, runuser, setpriv: create links between man pages

.. and add notes about differences between the utuils.

Reported-by: Lennart Poettering <lennart@poettering.net>
Signed-off-by: Karel Zak <kzak@redhat.com>

3 files changed, 24 insertions, 1 deletions

diff --git a/login-utils/runuser.1 b/login-utils/runuser.1
index 2f88f8157..128758c84 100644
--- a/login-utils/runuser.1
+++ b/login-utils/runuser.1
@@ -26,6 +26,10 @@ The command
 .B runuser
 does not have to be installed with suid permissions.
 .PP
+If the PAM session is not required then recommended solution is to use
+.BR setpriv (1)
+command.
+.PP
 When called without arguments,
 .B runuser
 defaults to running an interactive shell as
@@ -223,7 +227,8 @@ global logindef config file
 .BR pam (8),
 .BR shells (5),
 .BR login.defs (5),
-.BR su (1)
+.BR su (1),
+.BR setpriv (1)
 .SH HISTORY
 This \fB runuser\fR command was
 derived from coreutils' \fBsu\fR, which was based on an implementation by
diff --git a/login-utils/su.1 b/login-utils/su.1
index 5e529ce3d..5d570fb21 100644
--- a/login-utils/su.1
+++ b/login-utils/su.1
@@ -39,6 +39,16 @@ configuration options found in other
 .B su
 implementations, such as support for a wheel group, have to be
 configured via PAM.
+.PP
+.B su
+is mostly designed for unprivileged users, the recommended solution for
+privileged users (e.g. scripts executed by root) is to use non-suid command
+.BR runuser (1)
+that does not require authentication and provide separate PAM configuration. If
+the PAM session is not required at all then the recommend solution is to use
+command
+.BR setpriv (1).
+
 .SH OPTIONS
 .TP
 .BR \-c , " \-\-command" = \fIcommand
@@ -241,6 +251,7 @@ session  required  pam_lastlog.so nowtmp
 .RE
 .SH "SEE ALSO"
 .BR runuser (8),
+.BR setpriv (1),
 .BR pam (8),
 .BR shells (5),
 .BR login.defs (5)
diff --git a/sys-utils/setpriv.1 b/sys-utils/setpriv.1
index 099a4bc75..4aaaa63af 100644
--- a/sys-utils/setpriv.1
+++ b/sys-utils/setpriv.1
@@ -9,6 +9,11 @@ setpriv \- run a program with different Linux privilege settings
 .SH DESCRIPTION
 Sets or queries various Linux privilege settings that are inherited across
 .BR execve (2).
+.PP
+The difference between the commands setpriv and su (or runuser) is that setpriv does
+not use open PAM session and does not ask for password. It's simple non-suid wrapper around
+.B execve
+syscall.
 .SH OPTION
 .TP
 .B \-\-clear\-groups
@@ -142,6 +147,8 @@ For example, setting no_new_privs and then execing a program that is
 SELinux\-confined (as this tool would do) may prevent the SELinux
 restrictions from taking effect.
 .SH SEE ALSO
+.BR su (1),
+.BR runuser (1),
 .BR prctl (2),
 .BR capability (7)
 .SH AUTHOR