diff options
-rw-r--r-- | login-utils/runuser.1 | 7 | ||||
-rw-r--r-- | login-utils/su.1 | 11 | ||||
-rw-r--r-- | sys-utils/setpriv.1 | 7 |
3 files changed, 24 insertions, 1 deletions
diff --git a/login-utils/runuser.1 b/login-utils/runuser.1 index 2f88f8157..128758c84 100644 --- a/login-utils/runuser.1 +++ b/login-utils/runuser.1 @@ -26,6 +26,10 @@ The command .B runuser does not have to be installed with suid permissions. .PP +If the PAM session is not required then recommended solution is to use +.BR setpriv (1) +command. +.PP When called without arguments, .B runuser defaults to running an interactive shell as @@ -223,7 +227,8 @@ global logindef config file .BR pam (8), .BR shells (5), .BR login.defs (5), -.BR su (1) +.BR su (1), +.BR setpriv (1) .SH HISTORY This \fB runuser\fR command was derived from coreutils' \fBsu\fR, which was based on an implementation by diff --git a/login-utils/su.1 b/login-utils/su.1 index 5e529ce3d..5d570fb21 100644 --- a/login-utils/su.1 +++ b/login-utils/su.1 @@ -39,6 +39,16 @@ configuration options found in other .B su implementations, such as support for a wheel group, have to be configured via PAM. +.PP +.B su +is mostly designed for unprivileged users, the recommended solution for +privileged users (e.g. scripts executed by root) is to use non-suid command +.BR runuser (1) +that does not require authentication and provide separate PAM configuration. If +the PAM session is not required at all then the recommend solution is to use +command +.BR setpriv (1). + .SH OPTIONS .TP .BR \-c , " \-\-command" = \fIcommand @@ -241,6 +251,7 @@ session required pam_lastlog.so nowtmp .RE .SH "SEE ALSO" .BR runuser (8), +.BR setpriv (1), .BR pam (8), .BR shells (5), .BR login.defs (5) diff --git a/sys-utils/setpriv.1 b/sys-utils/setpriv.1 index 099a4bc75..4aaaa63af 100644 --- a/sys-utils/setpriv.1 +++ b/sys-utils/setpriv.1 @@ -9,6 +9,11 @@ setpriv \- run a program with different Linux privilege settings .SH DESCRIPTION Sets or queries various Linux privilege settings that are inherited across .BR execve (2). +.PP +The difference between the commands setpriv and su (or runuser) is that setpriv does +not use open PAM session and does not ask for password. It's simple non-suid wrapper around +.B execve +syscall. .SH OPTION .TP .B \-\-clear\-groups @@ -142,6 +147,8 @@ For example, setting no_new_privs and then execing a program that is SELinux\-confined (as this tool would do) may prevent the SELinux restrictions from taking effect. .SH SEE ALSO +.BR su (1), +.BR runuser (1), .BR prctl (2), .BR capability (7) .SH AUTHOR |