From 7ec6adb1cc00719b10b21a732474fc444acaac95 Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Wed, 29 Aug 2012 17:34:26 +0200 Subject: runuser: new command (derived from su(1)) This command is based on su(1), the differences: - based on Fedora runuser su(1) patch - not installed with suid rights - allowed for root users only - don't ask for password - uses PAM session, for example: $ cat /etc/pam.d/runuser auth sufficient pam_rootok.so session optional pam_keyinit.so revoke session required pam_limits.so session required pam_unix.so $ cat /etc/pam.d/runuser-l auth include runuser session optional pam_keyinit.so force revoke session include runuser Signed-off-by: Karel Zak --- login-utils/runuser.1 | 230 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 230 insertions(+) create mode 100644 login-utils/runuser.1 (limited to 'login-utils/runuser.1') diff --git a/login-utils/runuser.1 b/login-utils/runuser.1 new file mode 100644 index 000000000..66ad1c48f --- /dev/null +++ b/login-utils/runuser.1 @@ -0,0 +1,230 @@ +.TH RUNUSER "1" "August 2012" "util-linux" "User Commands" +.SH NAME +runuser \- run a command with substitute user and group ID +.SH SYNOPSIS +.B runuser +[options...] [\-] [user [args...]] +.SH DESCRIPTION +.B runuser +allows to run commands with substitute user and group ID. +The difference between the commands +.B runuser +and +.B su +is that +.B runuser +does not ask for password, because it may be executed by root user only. +The command +.B runuser +does not have to be installed with suid permissions. +.PP +When called without arguments +.B runuser +defaults to running an interactive shell as +.IR root . +.PP +For backward compatibility +.B runuser +defaults to not change the current directory and to only set the +environment variables +.B HOME +and +.B SHELL +(plus +.B USER +and +.B LOGNAME +if the target +.I user +is not root). It is recommended to always use the +.B \-\-login +option (instead it's shortcut +.BR \- ) +to avoid side effects caused by mixing environments. +.PP +This version of +.B runuser +uses PAM for session management. +.SH OPTIONS +.TP +\fB\-c\fR \fIcommand\fR, \fB\-\-command\fR=\fIcommand\fR +Pass +.I command +to the shell with the +.B \-c +option. +.TP +\fB\-\-session\-command\fR=\fIcommand\fR +Same as +.B \-c +but do not create a new session (discouraged). +.TP +\fB\-f\fR, \fB\-\-fast\fR +Pass +.B \-f +to the shell which may or may not be useful depending on the +shell. +.TP +\fB\-g\fR, \fB\-\-group\fR=\fIgroup\fR\fR +specify the primary group, this option is allowed for root user only +.TP +\fB\-G\fR, \fB\-\-supp-group\fR=\fIgroup\fR\fR +specify a supplemental group, this option is allowed for root user only +.TP +\fB\-\fR, \fB\-l\fR, \fB\-\-login\fR +Starts the shell as login shell with an environment similar to a real +login: +.RS 10 +.TP +o +clears all environment variables except for +.B TERM +.TP +o +initializes the environment variables +.BR HOME , +.BR SHELL , +.BR USER , +.BR LOGNAME , +.B PATH +.TP +o +changes to the target user's home directory +.TP +o +sets argv[0] of the shell to +.RB ' \- ' +in order to make the shell a login shell +.RE +.TP +\fB\-m\fR, \fB\-p\fR, \fB\-\-preserve-environment\fR +Preserves the whole environment, ie does not set +.BR HOME , +.BR SHELL , +.B USER +nor +.BR LOGNAME . +.TP +\fB\-s\fR \fISHELL\fR, \fB\-\-shell\fR=\fISHELL\fR +Runs the specified shell instead of the default. The shell to run is +selected according to the following rules in order: +.RS 10 +.TP +o +the shell specified with +.B \-\-shell +.TP +o +The shell specified in the environment variable +.B SHELL +if the +.B \-\-preserve-environment +option is used. +.TP +o +the shell listed in the passwd entry of the target user +.TP +o +/bin/sh +.RE +.IP +If the target user has a restricted shell (i.e. not listed in +/etc/shells) the +.B \-\-shell +option and the +.B SHELL +environment variables are ignored unless the calling user is root. +.TP +\fB\-\-help\fR +Display help text and exit. +.TP +\fB\-\-version\fR +Display version information and exit. +.SH CONFIG FILES +.B runuser +reads the +.I /etc/default/runuser +and +.I /etc/login.defs +configuration files. The following configuration items are relevant +for +.BR runuser : +.PP +.B ENV_PATH +(string) +.RS 4 +Defines the PATH environment variable for a regular user. The +default value is +.IR /usr/local/bin:\:/bin:\:/usr/bin . +.RE +.PP +.B ENV_ROOTPATH +(string) +.br +.B ENV_SUPATH +(string) +.RS 4 +Defines the PATH environment variable for root. The default value is +.IR /usr/local/sbin:\:/usr/local/bin:\:/sbin:\:/bin:\:/usr/sbin:\:/usr/bin . +.RE +.PP +.B ALWAYS_SET_PATH +(boolean) +.RS 4 +If set to +.I yes +and \-\-login and \-\-preserve\-environment were not specified +.B runuser +initializes +.BR PATH . +.RE +.SH EXIT STATUS +.B runuser +normally returns the exit status of the command it executed. If the +command was killed by a signal, +.B runuser +returns the number of the signal plus 128. +.PP +Exit status generated by +.B runuser +itself: +.RS 10 +.TP +1 +Generic error before executing the requested command +.TP +126 +The requested command could not be executed +.TP +127 +The requested command could was not found +.RE +.SH FILES +.PD 0 +.TP 17 +/etc/pam.d/runuser +default PAM configuration file +.TP +/etc/pam.d/runuser-l +PAM configuration file if \-\-login is specified +.TP +/etc/default/runuser +runuser specific logindef config file +.TP +/etc/login.defs +global logindef config file +.PD 1 +.SH "SEE ALSO" +.BR pam (8), +.BR shells (5), +.BR login.defs (5), +.BR su (1) +.SH AUTHOR +Derived from coreutils' su which was based on an implemenation from +David MacKenzie and Fedora runuser command from Dan Walsh. +.SH AVAILABILITY +The runuser command is part of the util-linux package and is +available from +.UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/ +Linux Kernel Archive +.UE . -- cgit v1.2.3-55-g7522