diff options
-rw-r--r-- | login-utils/runuser.1 | 2 | ||||
-rw-r--r-- | login-utils/su.1 | 3 | ||||
-rw-r--r-- | sys-utils/mount.8 | 10 | ||||
-rw-r--r-- | sys-utils/readprofile.8 | 2 | ||||
-rw-r--r-- | sys-utils/setpriv.1 | 6 | ||||
-rw-r--r-- | term-utils/wall.1 | 3 |
6 files changed, 15 insertions, 11 deletions
diff --git a/login-utils/runuser.1 b/login-utils/runuser.1 index 04ce4ff01..e748b1ee5 100644 --- a/login-utils/runuser.1 +++ b/login-utils/runuser.1 @@ -24,7 +24,7 @@ does not ask for a password (because it may be executed by the root user only) a it uses a different PAM configuration. The command .B runuser -does not have to be installed with suid permissions. +does not have to be installed with set-user-ID permissions. .PP If the PAM session is not required then recommended solution is to use .BR setpriv (1) diff --git a/login-utils/su.1 b/login-utils/su.1 index 8685061ef..724755bdf 100644 --- a/login-utils/su.1 +++ b/login-utils/su.1 @@ -42,7 +42,8 @@ configured via PAM. .PP .B su is mostly designed for unprivileged users, the recommended solution for -privileged users (e.g. scripts executed by root) is to use non-suid command +privileged users (e.g. scripts executed by root) is to use +non-set-user-ID command .BR runuser (1) that does not require authentication and provide separate PAM configuration. If the PAM session is not required at all then the recommend solution is to use diff --git a/sys-utils/mount.8 b/sys-utils/mount.8 index d1ef9083f..5623397dd 100644 --- a/sys-utils/mount.8 +++ b/sys-utils/mount.8 @@ -571,7 +571,7 @@ Mount the partition that has the specified .TP .BR \-l , " \-\-show\-labels" Add the labels in the mount output. \fBmount\fR must have -permission to read the disk device (e.g.\& be suid root) for this to work. +permission to read the disk device (e.g.\& be set-user-ID root) for this to work. One can set such a label for ext2, ext3 or ext4 using the .BR e2label (8) utility, or for XFS using @@ -1058,11 +1058,11 @@ or Do not use the lazytime feature. .TP .B suid -Allow set-user-identifier or set-group-identifier bits to take +Allow set-user-ID or set-group-ID bits to take effect. .TP .B nosuid -Do not allow set-user-identifier or set-group-identifier bits to take +Do not allow set-user-ID or set-group-ID bits to take effect. .TP .B silent @@ -1599,8 +1599,8 @@ When .B grpid is set, it takes the group id of the directory in which it is created; otherwise (the default) it takes the fsgid of the current process, unless -the directory has the setgid bit set, in which case it takes the gid -from the parent directory, and also gets the setgid bit set +the directory has the set-group-ID bit set, in which case it takes the gid +from the parent directory, and also gets the set-group-ID bit set if it is a directory itself. .TP .BR grpquota | noquota | quota | usrquota diff --git a/sys-utils/readprofile.8 b/sys-utils/readprofile.8 index 59c930b3d..5c72a719f 100644 --- a/sys-utils/readprofile.8 +++ b/sys-utils/readprofile.8 @@ -74,7 +74,7 @@ because is readable by everybody but writable only by the superuser. However, you can make .B readprofile -setuid 0, in order to reset the buffer without gaining privileges. +set-user-ID 0, in order to reset the buffer without gaining privileges. .TP \fB\-s, \fB\-\-counters\fR Print individual counters within functions. diff --git a/sys-utils/setpriv.1 b/sys-utils/setpriv.1 index 383efec37..23c147685 100644 --- a/sys-utils/setpriv.1 +++ b/sys-utils/setpriv.1 @@ -11,7 +11,8 @@ Sets or queries various Linux privilege settings that are inherited across .BR execve (2). .PP The difference between the commands setpriv and su (or runuser) is that setpriv does -not use open PAM session and does not ask for password. It's simple non-suid wrapper around +not use open PAM session and does not ask for password. +It's simple non-set-user-ID wrapper around .B execve system call. .SH OPTION @@ -59,7 +60,8 @@ Set the .I no_new_privs bit. With this bit set, .BR execve (2) -will not grant new privileges. For example, the setuid and setgid bits as well +will not grant new privileges. +For example, the set-user-ID and set-group-ID bits as well as file capabilities will be disabled. (Executing binaries with these bits set will still work, but they will not gain privileges. Certain LSMs, especially AppArmor, may result in failures to execute certain programs.) This bit is diff --git a/term-utils/wall.1 b/term-utils/wall.1 index a7da1951e..939810cc4 100644 --- a/term-utils/wall.1 +++ b/term-utils/wall.1 @@ -58,7 +58,8 @@ deny messages or are using a program which automatically denies messages. .PP Reading from a .I file -is refused when the invoker is not superuser and the program is suid or sgid. +is refused when the invoker is not superuser and the program is +set-user-ID or set-group-ID. .SH OPTIONS .TP .BR \-n , " \-\-nobanner" |