NAME
super.tab - database of restricted commands for super(1)DESCRIPTION
The super.tab file contains the restrictions on who can execute commands with super(1). It may also contain options that modify the uid and/or gid under which a command is run; the list of environment variables that are discarded before executing a command, and so on. The reader is expected to be familiar with the super(1) man page. If you are trying to avoid reading this lengthy man page, you need to know a few simple rules. First, for a user to successfully execute a command by typing super commandName, the minimum entry in the super.tab is something like commandName FullPathToCommand userName:if $IS_USERTAB == yes :include /etc/super.init.per-user :if $IS_USERTAB != yes :include /etc/super.init.as-root
• the
user-entered command to a CmdPat;
• the
{user,group,host} triplet to a PermittedUsers entry; and
• the
current time to a PermittedTimes entry (the default permits any
time).
renice /etc/renice jack@hill jill@bucket time~8-17
Cmd File user1\ user2\ user3
Cmd File user1
user2 user3
Cmd File {user1,\
user2,\
user3}
Cmd File {user1,user2,user3}
The CmdPat Field
In response to the user typing
super cmd [ args ],
skill /usr/local/bin/skill user1 user2
user3
/usr/bin/{lp,lpstat,disable,enable,cancel}
* \
:operators
uid=0
super /usr/bin/disable
some_printer
{lp,lpstat,disable,enable,cancel}
/usr/bin/* \
:operators
uid=0
super disable some_printer
op/* /usr/local/super/scripts/* :operators
uid=0
super op/xyz
/* *
ReallyReallyTrustedUsers
or
/.* *
ReallyReallyTrustedUsers
/* * TrustedUsers \
!{PatternsOfPublicWorkstations} \
password=y timeout=5 uid=0
The FullPath Field
The FullPath field gives the name of the actual command that will be executed, and if it contains an asterisk, the asterisk is first replaced by the user's cmd string. The FullPath can optionally contain a list of initial arguments that precede any arguments passed by the user. For example,xyz "/usr/local/bin/blah -o1 -o2 -xrm
'a b c'" ...
argv[1]: -o1
argv[2]: -o2
argv[3]: -xrm
argv[4]: a b c
followed by any arguments that the user put on the super command line. Note:
asterisk replacement is only done on the filename part of the FullPath,
not on the arguments. You can safely include asterisks in the argument list.
For security, the user's cmd may not contain any whitespace or
backslashes.
The FullPath string is parsed using rules similar to the Bourne shell
rules for backslashes in quoted strings, namely:
\\ → \;
\q → q, where q is the quote character that
encloses the FullPath string;
other backslashes are preserved: \x → \x.
Permitted Users
Permitted users are those who may execute the specified Cmd's. Entries for any number of permitted users are given after the CmdPat and FullPath fields. Local options — options that apply to this command only — may also appear anywhere after the FullPath. Options are distinguished from permitted users because options all have the form key=value, whereas permitted-user entries may not contain unescaped equal signs. Each whitespace-separated word is a pattern in one of the formatsNote that the user~ part is optional. The user's login name must match the user pattern; the user must belong to a group whose name matches the group pattern; and the hostname must match the host pattern. If the user, group, or host part is not given, there are no corresponding restrictions.
j.* !jo
or
user~j.* !user~jo
!jo j.*
Permitted Times
The time condition restricts the days and times during which this command may be matched. If the execution time isn't acceptable, then super ignores the control line, and ``falls through'' to inspect the next entry, just as it does if the user/group/host aren't acceptable. A time condition looks like: time~pattern
Pattern Example
hh[:mm]-hh[:mm][/dayname] 13:30-17/monday
{
<,>,<=,>=}hh[:mm][/dayname] <17/tues
dayname Friday
The first form explicitly specifies an interval during which the command may be
used. Times may not go past midnight; to specify the night between Monday and
Tuesday, you must do something like:
time~{17:30-24:00/mon,0-8/tues}
time~{>17:30/mon,<8/tues}
(There is a tiny difference in the two examples above: in the first example, the
time range includes 17:30 and 8:00; in the second example, the time range is
17:31-07:59. Use time~{>=17:30/mon,<=8/tues} to make the
interpretation identical to the first example.)
If there are a series of time patterns, they are evaluated left-to-right, and
the rightmost matching pattern is used. To permit execution between 17:30
Monday and 8:00 Tuesday, but exclude 0:00 to 1:00 Tuesday, use:
time~{>=17:30/mon,<=8/tues} !time~{0-1/tues}
By default, valid daynames are English, but if your system supports the
setlocale(3) function, the global option lang=zzz
will set the valid names to those of locale zzz. Valid daynames
are either (a) the full names of the chosen language; (b) an official
abbreviated day name for that language; (c) a 3-or-more character abbreviation
of the full weekday; or (d) *, meaning any day. (You can check on
super's valid daynames by executing super -d, which will show
the default names of the weekdays at or near the top of its debugging output,
and show the new weekday names that take effect when the
lang=zzz option is encountered.)
Time patterns have a special defaulting rule when the execution time is not in
one of the intervals in the time list:
• if all time patterns are
negated, super permits execution at any time not in one of the listed
intervals;
• otherwise, there is at least one non-negated pattern, and super
defaults to deny execution at times outside the specified acceptable
intervals.
The reason is that the natural interpretation of a series of negated conditions,
such as
!time~{0-8,17-24} !time~{sat,sun}
is to infer that all other times are acceptable for execution. On the other
hand, if there are any ordinary, non-negated times, such as
time~8-17/{mon,tues,wed,thu,fri}
the natural interpretation is that any times not explicitly mentioned are not
acceptable.
Note that explicit braces are important in the above list. If they were missing,
the implied braces around the entire pattern would render this equivalent to
time~8-17/mon time~tues time~wed time~thu
time~fri
That is, the permitted times are 8-17h on Monday, and any time on Tuesday
through Friday.
Global Conditions
Global options and conditions affect the overall super processing. To set them, you must use a line like
:global Global Options And Patterns
or
:global_options Global Options And Patterns
:global cond cond ...
<> cond cond ...
:global jan <> !@+badhosts
:global !root <>
Conditionally-included Control Lines
Control lines can be conditionally included by using the :if control line. This can be helpful when using a single super.tab file for hosts with different architectures, or hosts in different NIS domains, etc. The syntax is:
:if left op
right
moreText
For example, you could include a file of commands only valid on Sun4-type machines as follows:
:if $UNAME_MACHINE ~ sun* \ :include /Path/To/Sun4/File
:if $UNAME_MACHINE ~ sun* \ :if $UNAME_MACHINE != sun4c \ :include /Path/To/Sun4/File
Variables
Super offers variables to make it easier to handle entries that are duplicated or are constructed out of other entries. Variables are defined by typing:define VariableName
VariableDefinition
:getenv
[EnvVarName...]
:define Users user1,\ user2,\ user3
and
:define Users user1,user2,user3
$VariableName
$(VariableName)
:define A $$ :define B A :define C $B $$B $C
:define Room103_WS hosta,hostb,hostc,hostd :define Room105_WS hoste,hostf,hostg,hosth :define Room106_WS +nonprivate :define PublicWorkstations $Room103_WS,$Room105_WS,$Room106_WS SomeCmd FullPathHere !@$(PublicWorkstations)
In the above example, we have taken advantage of the implied braces that are always placed around any pattern, so that the comma-separated list of workstations is brace-expanded into !@hosta !@hostb ... !@hoste !@hostf ... !@+nonprivate. Some variables are automatically defined by super. After super determines whether it is processing a per-user .supertab (see super(1)), it defines IS_USERTAB to be `` yes'' if super is processing a per-user .supertab file, and `` no'' otherwise. The allows the super.init to act differently depending on how it is being invoked. When the top-level super.tab file is opened, SUPER_OWNER is set to the login name of the owner, and SUPER_HOME is set to the home directory of the owner. This can be useful in per-user .supertab files, especially when they include files shared among several accounts. For example, each person's .supertab file could be simply
:include /opt/proj/common.supertab
owner=cristy
:global logfile=$SUPER_HOME/.superlog
* /project/tools/$SUPER_OWNER/* :toolgroup
sam /usr/sbin/sam group~operator uid=0 \ env=DISPLAY \ setenv=XAUTHORITY=$CALLER_HOME/.Xauthority
• HOSTNAME Hostname, possibly canonicalized.
From the getdomainname() function:
• NIS_DOMAIN domain set for NIS purposes.
From the sysinfo() function:
• SI_SYSNAME Name of operating system.
From the uname() function:
• UNAME_SYSNAME Operating system name.
Options
The configuration file can specify a wide variety of options, such as requiring the user's password before executing some commands, or restricting the command-line arguments to match certain patterns. Options are handled very differently from conditions (conditions include user, group, host, and time). If a control line's conditions aren't met, super falls through and tries the next control line in the file. After finding an acceptable control line, super will execute the command if the options are satisfied; otherwise, it stops and doesn't search the super.tab file any further. Options can be divided into (a) local options, which are defined on a regular control line, and apply only to that control line; and (b) global options, which are defined on a :global or :global_options line, take effect immediately after the line, and are valid until the end of the input or until there is a countermanding global option or pattern. All options are orthogonal to each other. It doesn't matter in what order they appear on a control line. Some options can be given as either local or global options. If both are used, the local setting overrides the global one. Two special names can be used with any of the options that take user or group ids as arguments: owner=xxx, uid=xxx, euid=xxx, gid=xxx, egid=xxx, u+g=xxx, groups=xxx, addgroups=xxx. These names are <owner>, meaning the owner of the file to be executed (or the owner's group, whichever is appropriate in the context); and <caller>, meaning the owner or group of the user calling super. The angle brackets are literally part of the name. These have the same values as the built-in variables CALLER and OWNER (see the Variables section, above). For example, the optionsgid=Foo uid=<caller>
would change the group to Foo, but leave the uid unchanged.
The recognized options are:
Group 1. Options Affecting How Superfiles Are Read and Processed.
patterns=xxx
(Global) Specifies the pattern-matching type for conditions and options.
The string xxx must be one of:
posix
— patterns are POSIX regular expressions. You can use
``posix/extended'' for extended regular expressions;
``posix/icase'' for case-insensitive regular expressions; or
``posix/extended/icase'' for both. See your regular-expression man
pages for details.
regex
— patterns are ed-style regular expressions, using the rules embodied
in the BSD 4.x routines re_comp()/re_exec(), with the addition
of csh-style brace expansion. This is the default for historical reasons, but
most people prefer to use shell-style patterns here, and it is recommended
that you put patterns=shell (see below) in your global options
list.
shell
— patterns are approximately Bourne-shell style, with the addition of
csh-style brace expansion and the special [[chars]]
pattern. The patterns are formed from:
\x force x to
be a plain character;
? matches any
single character;
* matches any
sequence of 0 or more chars;
[chars] matches
any single character in the set;
[^chars] matches
any single char NOT in the set;
[[chars]] When
the pattern begins with [[, and ends with ]], then each and
every character in the string must match the ordinary square-bracket pattern
[chars] (or [^chars]).
^pat inverts
the sense of the match — the string must NOT match the pattern.
lang=zzz
(Global) This option sets the language used for weekdays (in time
conditions). Here, zzz may be any locale available on your host. For
example, lang=de would typically cause super to use German
names. The default is the C locale, hence English names.
relative_path=y|n
(Global) If y, FullPathNames can be relative instead of absolute.
By default this is disallowed, because it is almost always a very foolish
(unsafe) thing to do.
group_slash=y|n
(Global) If y, group names can contain a slash. By default this is
disallowed, so that super can catch certain typos in the
super.tab file. (Namely, super can catch errors in which an
entry is of the form Cmd:File instead of the required
Cmd::File. The trouble is that
Cmd:File looks syntactically like
user:group, and can therefore be mistaken for a valid
part of a control line. But the filename will contain a slash — unless
you have unwisely enabled the relative_path option — so
disallowing slashes allows super to flag the line as syntactically
invalid.)
gethostbyname=y|n
(Global) Enables or disables the use of gethostbyname() to find
the fully-qualified domain name (see the discussion in the Permitted
Users section, which describes the security issues associated with
enabling this option.) Default: enabled (if your host supports
gethostbyname()).
Group 2. Logging Options.
logfile=fname
(Global) Enables logging to a local file. Each invocation of super
(aside from ones for help) generates an entry in file fname.
loguid=xxx
(Global) If logging is enabled with logfile= fname, the logfile
will be opened for writing using uid= xxx (can be either a username or
numeric uid). This option allows you to have the file created/opened under
another uid that does have cross-host access, such as the uid of a system
manager. (See timestampuid=xxx for additional comments). Default:
loguid=0.
mail="mail-command"
(Local|Global) Notices of super failures are piped to the shell command
mail-command. This is independent of the setting of the logfile
and syslog options. For instance, mail="mail -s Super
joeblow" will cause error messages to be mailed to user
joeblow (on some systems you may need to substitute mailx for
mail). Note: the mail-command is executed by passing it as an
argument to popen(3). This is safe to execute because of the clean
environment assured by super.
mailany="mail-command"
(Local|Global) This is identical to the mail option, except that
mailany sends notification of successful invocations as well as
errors.
rlog_host=hostname
(Global) Tells super which host's syslog daemon is to receive log
messages when option syslog=y is enabled. The option has no effect if
used after the first message is logged: once the logger has been opened, it is
not re-opened if the rlog_host is changed. Default: the local host.
Note: One could instead configure the syslog.conf file to forward the
messages to a central machine.
syslog=y|n
(Global) Logging information is passed to the logs maintained by the
syslogd daemon. This is independent of the setting of the
logfile option (above). Error messages are by default logged at
priority LOG_ERR and successful attempts to run programs are logged at
priority LOG_INFO. (See options syslog_error and syslog_success
to change these levels.)
syslog_error=xxx
(Global) If syslog is enabled (see the syslog option), then by
default super logs error messages using syslog(3) code LOG_ERR.
This option changes the code to xxx, where xxx is any of the
usual syslog(3) priority and/or facility codes, such as
LOG_WARNING or LOG_LOCAL7|LOG_ERR. The LOG_xxx
words can be separated by whitespace, dot, and/or ``|'', but of course you
must use quotes if whitespace is included. The leading "LOG_" is
optional, and the value is case-insensitive. For example,
LOG_LOCAL7|LOG_ERR can alternatively be written as local7.err.
Super doesn't know what are sensible codes — it's up to the
super.tab writer to choose meaningful values. For instance, if you put
syslog_error="LOG_INFO | LOG_ERR" (bad!)
then you will get both those values or'd together and passed to
syslog().
syslog_success=xxx
(Global) This option is just like syslog_error, except that it
applies to successful-execution messages instead of error messages. Default:
LOG_INFO .
Group 3. Extra Help Information for Users.
info=xxx
(Local) The string xxx is printed when giving help to users. It
should be set to a helpful one-line description of the command.
Group 4. Password and Other Restrictions Before Approval.
maxlen=[mmm,]nnn
(Local|Global) Each argument must be no more than mmm characters
long (including the terminating null), and the sum length of all arguments
must not exceed nnn characters. A negative value means that no limit is
applied. The defaults for mmm and nnn are set by the
compile-time manifest constants MAXLEN1ARG and MAXLENARGS, which are usually
1000 and 10,000 characters, respectively.
nargs=[mmm-]nnn
(Local|Global) The user is required to enter mmm - nnn arguments
to the command. If just nnn is given, the user must enter exactly
nnn arguments. These arguments are in addition to any arguments entered
in the command part of the super.tab file. The default is to allow the
user to enter any number of arguments.
arg[mmm-]nnn=sss
(Local|Global) This means that the nnn'th or mmm-nnn'th
arguments must match pattern sss. (Arguments are numbered
from 1.) The pattern must be enclosed in quotes if it contains
whitespace. Note that this option does not require that there be
mmm-nnn arguments; it only says what those arguments must look
like, if entered. You can use this option several times on one line, with
different mmm-nnn values each time, to apply different patterns
to different arguments. If more than one pattern applies to a given argument,
all of those patterns must be matched. An empty pattern ("") is
special: it has the effect of unsetting (removing) any previous
patterns for the matching [ mmm-]nnn. This can be useful if you
want to change :global settings, instead of adding to them. If there
are local arg[mmm-]nnn option(s), they completely
replace all global arg[mmm-]nnn values, even if
the local mmm-nnn values do not overlap with the global
values.
owner=xxx
(Local|Global) This option specifies that the FullPath (after
asterisk-substitution) must be owned by user (or uid) xxx, or else it
won't be executed.
auth=y|n
(Local|Global) If y, user authentication is required before the
command is executed. The default authentication method is Unix password
authentication. See also the options authprompt, authtype,
authuser, timeout, and renewtime, and be sure to read the
warning under timestampbyhost.
authprompt=message
(Local|Global) Specifies the prompt used when authenticating the user
(usually the default prompt is fine). Variable substitution is done on the
prompt before printing.
authtype=type
(Local|Global) Specifies the type of authentication used when
auth=y. The type can be password or pam (if PAM is
supported on your system). The default is password. If PAM
authentication is used, super uses the service name ``super''
when looking for authentication in your system PAM configuration files.
authuser=username
(Local|Global) Specifies the user whose authentication is required when
auth=y. The default is the password (or other authentication) for the
user who invoked super.
password=y|n
(Local|Global) This is a deprecated option; it has been replaced by the
auth and authtype options. Password=y is equivalent to
auth=y authtype=password ; and Password=n is equivalent to
auth=n.
renewtime=y|n
(Global) If y, the user's timestamp file is updated to the current
time whenever an authentication-requiring command is executed. The result is
that a user who frequently executes authentication-requiring commands won't
need to re-authenticate until more than timeout minutes elapse since
the last such command. Otherwise, the user will need to re-authenticate
timeout minutes after last entering the password. The default is
n.
timeout=m
(Local|Global) User authentication is good for m minutes; that is,
the command may be executed without re-authenticating for m minutes
after the previous authentication (for any command). After m minutes,
user authentication will be required again before the command can be executed.
If timeout is zero or negative, authentication is required every time
the command is used. The timestamp for user usr is recorded in the file
TIMESTAMP_DIR directory (see timestampbyhost and the FILES
section, below).
timestampbyhost=y|n
(Global) If y (default), the timestamp files are given names that
are unique on each host. For instance, jouser@somehost will be given a
timestamp file named TIMESTAMP_DIR/somehost/jouser, where
TIMESTAMP_DIR is defined in the FILES section. If
timestmapbyhost=n, the timestamp files are given names that are unique
to each user, but not unique per host. For instance, jouser on any host
will be given a timestamp file named TIMESTAMP_DIR/jouser.
WARNING: The hostname used is that from gethostname(). Note that
this is not necessarily unique across internet domains, since it is frequently
not a fully-qualified domain name. Therefore you should not share timestamp
directories with hosts outside the local domain. (Generally such connections
don't exist, but one could crossmount the timestamp directory
disk...)
timestampuid=xxx
If a password is required, the time at which it was entered is recorded as the
mtime of a timestamp file. The timestamp file is normally created with
owner=root; however, this option causes it to be created/modified using uid=
xxx ( xxx can be either a username or numeric uid). This option
is useful when a network of hosts are sharing a cross-mounted timestamp
directory. Note that networks are typically configured to not allow root on
one host to have root access to files on another host, which will forbid root
on other hosts from creating the timestamp file unless it's world-writable.
This option allows you to have the file created/opened under another uid that
does have cross-host access, such as the uid of a system manager. Default:
timestampuid=0.
checkvar=name[,...]
(Local) Each name in the comma-separated list is a
super.tab variable which the user must enter at a prompt from
super. For example, you might have a super shutdown command
which halts the computer. If you execute this on the wrong host there may be
some very annoyed users! So, you can include checkvar=HOST, and the
user will have to type the correct hostname in response to a prompt from
super.
Group 5. Modifications to Environment Before Executing Command.
uid=xxx
(Local) Sets the real uid to xxx just before executing the
command. If option euid isn't used, also sets the effective uid to
xxx. The uid xxx is first tried as a login name and then as a
number. If the options uid=xxx and u+g=yyy (see
below) are used together, then the u+g option only sets the
group id, and not the user id.
euid=xxx
(Local) Sets the effective uid to xxx just before executing the
command. The uid xxx is first tried as a login name and then as a
number.
gid=yyy
(Local) Sets the real gid to yyy just before executing the
command. If option egid isn't used, also sets the effective gid to
yyy. The gid yyy is first tried as a group name and then as a
number.
egid=yyy
(Local) Sets the effective gid to yyy just before executing the
command. The gid yyy is first tried as a group name and then as a
number.
u+g=zzz
(Local) Sets the real uid to zzz, the real gid to zzz's
login gid, and the supplementary groups list to zzz's supplementary
groups just before executing the command. If the euid and/or
egid option aren't given, the effective uid and/or gid are also set.
The options u+g and gid=yyy conflict with each other, and may
not be used together.
groups=name[,...]
(Local|Global) By default, the user's supplementary groups list is
deleted before executing a command (unless the option u+g is used).
This option instead sets the group list to name[,...]
addgroups=name[,...]
(Local|Global) This option adds the listed groups to the supplementary
groups list. Since the default is to provide an empty supplementary groups
list, this option usually has the same effect as the plain groups
option. However, if the options u+g=foo
addgroups=a,b,c are used, then the supplementary groups list is
composed of user foo's supplementary groups plus a, b, and
c.
argv0=name
(Local) Execute the command will execute with its first argument (that
is, the argument conventionally denoted as argv[0]), set to
name. As a convenient shorthand, the value <path> (the
angle brackets are literally part of the name) means to use the
FullPath specified in the super.tab file. By default,
argv[0] is set to Cmd, the name of the super command
invoked by the user, regardless of the actual path being invoked. However,
some programs will not run properly unless argv[0] has a particular
value. For example, suppose you want to permit users to safely mount zip
disks, and you use something like: zipmount "/etc/mount -o nosuid
/dev/xz10 /zip"
This command will fail if /etc/mount requires that it be invoked with
argv[0] set to [.../]mount, because super will use
the name zipmount. However, you can put argv0=<path> into
your super.tab file, and then the mount command will work properly.
env=name[,...]
(Global|Local) Each name in the comma-separated list is an
environment variable which should not be deleted before executing the
Cmd; these variables are in addition to the normal variables created or
passed by super (TERM, IFS, PATH, USER, LOGNAME, HOME, ORIG_USER,
ORIG_LOGNAME, ORIG_HOME, LINES, COLUMNS, SUPERCMD). Be careful here;
environment variables can sometimes be abused to create security holes. If you
use the option more than once, the later instance overrides the earlier one,
instead of adding to it. Similarly, using it as a local option completely
overrides any global setting.
maxenvlen=nnn
(Global|Local) Specifies the maximum length of an environment variable
definition (including name, equal sign, value, and trailing null character).
The default is given by the compile-time manifest constant MAXENVLEN, usually
1000 characters. A negative value means no limit.
cd=dir
(Local|Global) Just before executing the command, super changes
the working directory to dir.
setenv=var=xxx
(Local|Global) The environment variable var is defined to have the
value xxx, and is passed on when executing the Cmd. You can add
several environment variable definitions by using the option more than
once.
fd=n[,...]
(Local) Each file descriptor n in the comma-separated list should
not be closed before executing the Cmd. These descriptors are
added to the usual set of descriptors kept open, namely 0, 1, 2.
nice=n
(Local|Global) changes the ``nice'' value of the executed command by an
amount n from the default level. (Positive increments reduce the
command's priority; negative increments increase it.)
umask=nnn
(Local|Global) sets the umask of any executed command to n. A
leading 0x or 0X in nnn means a hexadecimal value;
otherwise, a leading 0 means octal; otherwise it's decimal.
Group 6. Other Options
print=message
(Local) If the rest of the line is matched, then super prints the
specified message just before executing the command.
die=message
(Local) If the rest of the line is matched, then super does
variable-substitution on the specified message message, prints it, and
exits. This lets you conveniently set up some ``stop'' conditions, and use the
die option to prevent super from looking at any line past the stop conditions.
Otherwise, you'd have to individually attach the stop conditions to every
control line.
Include Files
A super.tab file can include other files by means of an entry like
:include filename [ owner=xxx ] [ group=yyy ]
or
:optinclude file [ owner=xxx ] [ group=yyy ]
If the file isn't an absolute path, it is taken to be relative to the
directory containing the super.tab file. Include files may be nested up
to the system limit on the number of simultaneously-open file descriptors.
The owner=xxx option specifies that the file must be owned
by user xxx; the group=yyy options specifies that the
file must belong to group yyy. If group=yyy is
specified, then the file can be group-writable; by default, the file must be
writable only by owner. This can be useful for a collection of accounts that
are operated together as part of a single project — the several of
accounts can share .supertab files by :include-ing files
belonging to the trusted user xxx and/or group yyy. Notes:
1. The regular root-owned super.tab file can also use the owner=
or group= constructs, but it's not a good idea. Don't do it.
2. Beware of the transitive nature of this trust: the file owned by xxx
can in turn include a file owned by yet another user. You might wind up
trusting a user you didn't intend to trust!
The difference between :include and :optinclude is that the former
generates an error if the named file doesn't exist, whereas the latter
(optional-include) silently ignores files that don't exist.
WARNING: You should use :optinclude with great caution, and be
sure not to depend on that file being present. It is easy to imagine a
scenario in which an administrator carelessly changes an entry so that the
wrong permission is granted if an :optinclude'd file was missing.
FILES
- /etc/super.tab
- The location of the super.tab file on your system.
- /etc/super.init
- The location of the super.init file on your system.
- /run/superstamps/username
- Default location of the file whose mtime is used as the timestamp for the last time the user entered his or her password for password-requiring commands. Check your installation for the directory used on your system.
EXAMPLES
Example 1.
The control line
allows /usr/local/bin/doit to be run setuid-root by
• user me on any host,
• user you on hosts h1 and h32;
• any users named ja.* in group ok_j;
• and anybody in group goodguys.
doit /usr/local/bin/doit \
me \
you@{h1,h32} \
ja.*:ok_j \
:goodguys
• user me on any host,
Example 2.
The pair of control lines
allows user jo to run /usr/local/bin/doit with uid =
smith, gid = smith's login gid, and keeping the
environment variables TZ and TAPE in addition to the standard set. If user
jo is at PublicWorkstation, the first entry will match,
requiring jo's password every time the command is used; otherwise,
super will match at the second entry, and no password is needed to run
the command.
doit /usr/local/bin/doit \ u+g=smith env=TZ,TAPE \ password=y timeout=0 \ jo@PublicWorkstation doit /usr/local/bin/doit \ u+g=smith env=TZ,TAPE \ jo
Example 3.
Here is an entry restricting CD-ROM mounting on different hosts: tas is
the only user who may mount CD's on elgar; anybody in group xyz
may mount CD's on alpha or delta; and anybody on a host in the
netgroup india may mount a CD on the india hosts. However, user
jo may never run cdmount, regardless of his or her group or host
(assuming that there is no overriding global pattern that permits jo to
use the command). Note that shell-style patterns are used, not regex-style
patterns.
cdmount /usr/local/bin/cdmount \
tas@elgar \
:xyz@{alpha,delta} \
*@+india \
!jo
SEE ALSO
super(1).| local |