1 .TH "KSU" "1" "January 06, 2012" "0.0.1" "MIT Kerberos"
3 ksu \- Kerberized super-user
5 .nr rst2man-indent-level 0
9 level \\n[rst2man-indent-level]
10 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
17 .\" .rstReportMargin pre:
19 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
20 . nr rst2man-indent-level +1
21 .\" .rstReportMargin post:
25 .\" indent \\n[an-margin]
26 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
27 .nr rst2man-indent-level -1
28 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
29 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
31 .\" Man page generated from reStructeredText.
39 [ \fB\-n\fP \fItarget_principal_name\fP ]
40 [ \fB\-c\fP \fIsource_cache_name\fP ]
45 [ \fB\-l\fP \fIlifetime\fP ]
48 [ \fB\-e\fP \fIcommand\fP [ args ... ] ] [ \fB\-a\fP [ args ... ] ]
52 Must have Kerberos version 5 installed to compile \fIksu\fP. Must have a Kerberos version 5 server running to use \fIksu\fP.
55 \fIksu\fP is a Kerberized version of the \fIsu\fP program that has two missions:
56 one is to securely change the real and effective user ID to that of the target user,
57 and the other is to create a new security context.
60 For the sake of clarity, all references to and attributes of the user invoking the program
61 will start with \(aqsource\(aq (e.g. \fIsource user, source cache\fP, etc.).
63 Likewise, all references to and attributes of the target account will start with \(aqtarget\(aq.
67 To fulfill the first mission, \fIksu\fP operates in two phases: authentication and authorization.
68 Resolving the target principal name is the first step in authentication.
69 The user can either specify his principal name with the \fI\-n\fP option (e.g. \fI\-n jqpublic@USC.EDU\fP ) or
70 a default principal name will be assigned using a heuristic described in the \fIOPTIONS\fP section (see \fI\-n\fP option).
71 The target user name must be the first argument to \fIksu\fP; if not specified root is the default.
72 If \(aq.\(aq is specified then the target user will be the source user (e.g. \fIksu\fP .).
73 If the source user is root or the target user is the source user, no authentication or authorization takes place.
74 Otherwise, \fIksu\fP looks for an appropriate Kerberos ticket in the source cache.
76 The ticket can either be for the end\-server or a ticket granting ticket (TGT) for the target principal\(aqs realm.
77 If the ticket for the end\-server is already in the cache, it\(aqs decrypted and verified.
78 If it\(aqs not in the cache but the TGT is, the TGT is used to obtain the ticket for the end\-server.
79 The end\-server ticket is then verified.
80 If neither ticket is in the cache, but \fIksu\fP is compiled with the \fIGET_TGT_VIA_PASSWD\fP define,
81 the user will be prompted for a Kerberos password which will then be used to get a TGT.
82 If the user is logged in remotely and does not have a secure channel, the password may be exposed.
83 If neither ticket is in the cache and \fIGET_TGT_VIA_PASSWD\fP is not defined, authentication fails.
86 This section describes authorization of the source user when \fIksu\fP is invoked without the \fI\-e\fP option.
87 For a description of the \-e option, see the OPTIONS section.
89 Upon successful authentication, \fIksu\fP checks whether the target principal is authorized to access the target account.
90 In the target user\(aqs home directory, \fIksu\fP attempts to access two authorization files: \fI.k5login\fP and \fI.k5users\fP.
91 In the \fI.k5login\fP file each line contains the name of a principal that is authorized to access the account.
98 jqpublic/secure@USC.EDU
99 jqpublic/admin@USC.EDU
103 The format of \fI.k5users\fP is the same, except the principal name may be followed by a list of commands
104 that the principal is authorized to execute. (see the \fI\-e\fP option in the \fIOPTIONS\fP section for details).
106 Thus if the target principal name is found in the \fI.k5login\fP file the source user is authorized to access the target account.
107 Otherwise \fIksu\fP looks in the \fI.k5users\fP file.
108 If the target principal name is found without any trailing commands or followed only by \(aq*\(aq then the source user is authorized.
109 If either \fI.k5login\fP or \fI.k5users\fP exist but an appropriate entry for the target principal does not exist then access is denied.
110 If neither file exists then the principal will be granted access to the account according to the aname\->lname mapping rules.
111 Otherwise, authorization fails.
112 .SH EXECUTION OF THE TARGET SHELL
114 Upon successful authentication and authorization, \fIksu\fP proceeds in a similar fashion to \fIsu\fP.
115 The environment is unmodified with the exception of USER, HOME and SHELL variables.
116 If the target user is not root, USER gets set to the target user name.
117 Otherwise USER remains unchanged.
118 Both HOME and SHELL are set to the target login\(aqs default values.
119 In addition, the environment variable \fIKRB5CCNAME\fP gets set to the name of the target cache.
120 The real and effective user ID are changed to that of the target user.
121 The target user\(aqs shell is then invoked (the shell name is specified in the password file).
122 Upon termination of the shell, \fIksu\fP deletes the target cache (unless \fIksu\fP is invoked with the \fI\-k\fP option).
123 This is implemented by first doing a fork and then an exec, instead of just exec, as done by \fIsu\fP.
124 .SH CREATING A NEW SECURITY CONTEXT
126 \fIksu\fP can be used to create a new security context for the target program
127 (either the target shell, or command specified via the \fI\-e\fP option).
128 The target program inherits a set of credentials from the source user.
129 By default, this set includes all of the credentials in the source cache
130 plus any additional credentials obtained during authentication.
131 The source user is able to limit the credentials in this set by using \fI\-z\fP or \fI\-Z\fP option.
132 \fI\-z\fP restricts the copy of tickets from the source cache to the target cache
133 to only the tickets where client == the target principal name.
134 The \fI\-Z\fP option provides the target user with a fresh target cache (no creds in the cache).
135 Note that for security reasons, when the source user is root and target user is non\-root,
136 \fI\-z\fP option is the default mode of operation.
138 While no authentication takes place if the source user is root or is the same as the target user,
139 additional tickets can still be obtained for the target cache.
140 If \fI\-n\fP is specified and no credentials can be copied to the target cache,
141 the source user is prompted for a Kerberos password (unless \fI\-Z\fP specified or \fIGET_TGT_VIA_PASSWD\fP is undefined).
142 If successful, a TGT is obtained from the Kerberos server and stored in the target cache.
143 Otherwise, if a password is not provided (user hit return) \fIksu\fP continues in a normal mode
144 of operation (the target cache will not contain the desired TGT).
145 If the wrong password is typed in, \fIksu\fP fails.
147 \fISide Note\fP: during authentication, only the tickets that could be obtained without
148 providing a password are cached in in the source cache.
154 .B \fB\-n\fP \fItarget_principal_name\fP
156 Specify a Kerberos target principal name. Used in authentication and authorization phases of \fIksu\fP.
158 If \fIksu\fP is invoked without \fI\-n\fP, a default principal name is assigned via the following heuristic:
161 .B \fICase 1: source user is non\-root.\fP
163 If the target user is the source user the default principal name is set to the default principal of the source cache.
164 If the cache does not exist then the default principal name is set to target_user@local_realm.
165 If the source and target users are different and neither ~target_user/\fI.k5users\fP nor ~target_user/\fI.k5login\fP exist
166 then the default principal name is \fItarget_user_login_name@local_realm\fP.
167 Otherwise, starting with the first principal listed below, \fIksu\fP checks if the principal is authorized to access the target account
168 and whether there is a legitimate ticket for that principal in the source cache.
169 If both conditions are met that principal becomes the default target principal,
170 otherwise go to the next principal.
174 default principal of the source cache
177 target_user@local_realm
180 source_user@local_realm
183 If a\-c fails try any principal for which there is a ticket in the source cache and that is authorized to access the target account.
184 If that fails select the first principal that is authorized to access the target account from the above list.
185 If none are authorized and \fIksu\fP is configured with \fIPRINC_LOOK_AHEAD\fP turned on, select the default principal as follows:
187 For each candidate in the above list, select an authorized principal that has the same realm name and
188 first part of the principal name equal to the prefix of the candidate.
189 For example if candidate a) is \fIjqpublic@ISI.EDU\fP and \fIjqpublic/secure@ISI.EDU\fP is authorized to access the target account
190 then the default principal is set to \fIjqpublic/secure@ISI.EDU\fP.
192 .B \fICase 2: source user is root.\fP
194 If the target user is non\-root then the default principal name is \fItarget_user@local_realm\fP.
195 Else, if the source cache exists the default principal name is set to the default principal of the source cache.
196 If the source cache does not exist, default principal name is set to \fIroot@local_realm\fP.
199 .B \fB\-c\fP \fIsource_cache_name\fP
201 Specify source cache name (e.g. \-c FILE:/tmp/my_cache).
202 If \fI\-c\fP option is not used then the name is obtained from \fIKRB5CCNAME\fP environment variable.
203 If \fIKRB5CCNAME\fP is not defined the source cache name is set to krb5cc_<source uid>.
204 The target cache name is automatically set to krb5cc_<target uid>.(gen_sym()),
205 where gen_sym generates a new number such that the resulting cache does not already exist.
216 Do not delete the target cache upon termination of the target shell or a command ( \fI\-e\fP command).
217 Without \fI\-k\fP, \fIksu\fP deletes the target cache.
225 Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name.
226 Use the \fI\-n\fP option if you want the tickets for other then the default principal.
227 Note that the \fI\-z\fP option is mutually exclusive with the \fI\-Z\fP option.
231 Don\(aqt copy any tickets from the source cache to the target cache.
232 Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name.
233 Note that the \fI\-Z\fP option is mutually exclusive with the \fI\-z\fP option.
237 Suppress the printing of status messages.
242 Ticket granting ticket options
247 .B \fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP
249 The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate
250 the source user. In this case if \fIksu\fP is configured to prompt users for a Kerberos password (GET_TGT_VIA_PASSWD is defined),
251 the ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos
254 .B \fB\-l\fP \fIlifetime\fP
256 option specifies the lifetime to be requested for the ticket; if this option is not specified, the default ticket lifetime
257 (configured by each site) is used instead.
259 .B \fB\-r\fP \fItime\fP
261 option specifies that the \fIRENEWABLE\fP option should be requested for the ticket, and specifies the desired total lifetime of the ticket.
265 option specifies that the PROXIABLE option should be requested for the ticket.
269 option specifies that the FORWARDABLE option should be requested for the ticket.
271 .B \fB\-e\fP \fIcommand\fP [args ...]
273 \fIksu\fP proceeds exactly the same as if it was invoked without the \fI\-e\fP option,
274 except instead of executing the target shell, \fIksu\fP executes the specified command
283 The authorization algorithm for \fI\-e\fP is as follows:
285 If the source user is root or source user == target user, no authorization takes place and the command is executed.
286 If source user id != 0, and ~target_user/\fI.k5users\fP file does not exist, authorization fails.
287 Otherwise, ~target_user/\fI.k5users\fP file must have an appropriate entry for target principal to get authorized.
289 The \fI.k5users\fP file format:
291 A single principal entry on each line that may be followed by a list of commands that the principal is authorized to execute.
292 A principal name followed by a \(aq*\(aq means that the user is authorized to execute any command. Thus, in the following example:
296 jqpublic@USC.EDU ls mail /local/kerberos/klist
297 jqpublic/secure@USC.EDU *
298 jqpublic/admin@USC.EDU
302 \fIjqpublic@USC.EDU\fP is only authorized to execute \fIls\fP, \fImail\fP and \fIklist\fP commands.
303 \fIjqpublic/secure@USC.EDU\fP is authorized to execute any command.
304 \fIjqpublic/admin@USC.EDU\fP is not authorized to execute any command.
305 Note, that \fIjqpublic/admin@USC.EDU\fP is authorized to execute the target shell (regular \fIksu\fP, without the \fI\-e\fP option)
306 but \fIjqpublic@USC.EDU\fP is not.
308 The commands listed after the principal name must be either a full path names or just the program name.
309 In the second case, CMD_PATH specifying the location of authorized programs must be defined at the compilation time of \fIksu\fP.
310 Which command gets executed ?
312 If the source user is \fIroot\fP or the target user is the source user or the user is authorized to execute any command (\(aq*\(aq entry)
313 then command can be either a full or a relative path leading to the target program.
314 Otherwise, the user must specify either a full path or just the program name.
316 .B \fB\-a\fP \fIargs\fP
318 Specify arguments to be passed to the target shell.
319 Note: that all flags and parameters following \-a will be passed to the shell,
320 thus all options intended for \fIksu\fP must precede \fI\-a\fP.
322 The \fI\-a\fP option can be used to simulate the \fI\-e\fP option if used as follows:
326 \-a \-c [command [arguments]].
330 \fI\-c\fP is interpreted by the c\-shell to execute the command.
334 .SH INSTALLATION INSTRUCTIONS
336 \fIksu\fP can be compiled with the following four flags:
341 .B \fBGET_TGT_VIA_PASSWD\fP
343 In case no appropriate tickets are found in the source cache,
344 the user will be prompted for a Kerberos password.
345 The password is then used to get a ticket granting ticket from the Kerberos server.
346 The danger of configuring \fIksu\fP with this macro is if the source user is logged in remotely
347 and does not have a secure channel, the password may get exposed.
349 .B \fBPRINC_LOOK_AHEAD\fP
351 During the resolution of the default principal name, \fIPRINC_LOOK_AHEAD\fP enables \fIksu\fP to find
352 principal names in the \fI.k5users\fP file as described in the \fIOPTIONS\fP section (see \fI\-n\fP option).
356 Specifies a list of directories containing programs that users are authorized to execute (via \fI.k5users\fP file).
358 .B \fBHAVE_GETUSERSHELL\fP
360 If the source user is non\-root, \fIksu\fP insists that the target user\(aqs shell to be invoked is a "legal shell".
361 \fIgetusershell(3)\fP is called to obtain the names of "legal shells".
362 Note that the target user\(aqs shell is obtained from the passwd file.
371 KSU_OPTS = \-DGET_TGT_VIA_PASSWD \-DPRINC_LOOK_AHEAD \-DCMD_PATH=\(aq"/bin /usr/ucb /local/bin"
376 .B PERMISSIONS FOR KSU
378 \fIksu\fP should be owned by root and have the \fIset user id\fP bit turned on.
382 \fIksu\fP attempts to get a ticket for the end server just as Kerberized telnet and rlogin.
383 Thus, there must be an entry for the server in the Kerberos database (e.g. \fIhost/nii.isi.edu@ISI.EDU\fP).
384 The keytab file must be in an appropriate location.
388 \fIksu\fP deletes all expired tickets from the source cache.
391 GENNADY (ARI) MEDVINSKY
396 .\" Generated by docutils manpage writer.