7a53967a |
1 | \input texinfo @c -*-texinfo-*- |
2 | @c |
69805471 |
3 | @c $Id: become.texi,v 1.2 1998/01/12 16:41:31 mdw Exp $ |
7a53967a |
4 | @c |
5 | @c Documentation for `become' |
6 | @c |
69805471 |
7 | @c (c) 1998 EBI |
7a53967a |
8 | @c |
9 | |
10 | @c ----- Revision history --------------------------------------------------- |
11 | @c |
12 | @c $Log: become.texi,v $ |
69805471 |
13 | @c Revision 1.2 1998/01/12 16:41:31 mdw |
14 | @c Tidying for new release versions. Fix copyright date. |
15 | @c |
7a53967a |
16 | @c Revision 1.1 1997/09/18 11:16:34 mdw |
17 | @c Brand new Texinfo manual, with wider scope than the original LaTeX one. |
18 | @c |
19 | |
20 | @c ----- Standard boilerplate ----------------------------------------------- |
21 | |
22 | @c %**start of header |
23 | @setfilename become |
24 | @settitle Become |
25 | @setchapternewpage odd |
26 | @footnotestyle end |
27 | @paragraphindent 0 |
28 | @iftex |
29 | @c @smallbook |
30 | @afourpaper |
31 | @c @parindent=0pt |
32 | @end iftex |
33 | @c %**end of header |
34 | |
35 | @c ----- Useful macros ------------------------------------------------------ |
36 | |
69805471 |
37 | @set version 1.2 |
7a53967a |
38 | |
39 | @c ----- Copyright matters -------------------------------------------------- |
40 | |
41 | @c --- The `Info' version --- |
42 | |
43 | @ifinfo |
44 | |
45 | This file documents Become version @value{version}. |
46 | |
69805471 |
47 | Copyright (c) 1998 European Bioinformatics Institute. |
7a53967a |
48 | |
49 | Permission is granted to make and distribute verbatim copies of this |
50 | manual provided the copyright notice and this permission notice are |
51 | preserved on all copies. |
52 | |
53 | @ignore |
54 | Permission is granted to process this file through TeX and print the |
55 | results, provided the printed document carries a copying permission |
56 | notice identical to this one except for the removal of this paragraph |
57 | (this paragraph not being relevant to the printed manual). |
58 | |
59 | @end ignore |
60 | Permission is granted to copy and distribute modified versions of this |
61 | manual under the conditions for verbatim copying, provided also that the |
62 | sections entitled `Copying' and `GNU General Public License' are |
63 | included exactly as in the original, and provided that the entire |
64 | resulting derived work is distributed under the terms of a permission |
65 | notice identical to this one. |
66 | |
67 | Permission is granted to copy and distribute translations of this manual |
68 | into another language, under the above conditions for modified versions, |
69 | except that this permission notice may be stated in a translation |
70 | approved by the European Bioinformatics Institute. |
71 | |
72 | @end ifinfo |
73 | |
74 | @c --- Printed title page --- |
75 | |
76 | @titlepage |
77 | |
78 | @title The Become program |
79 | @subtitle Become version @value{version} |
80 | @author Mark Wooding (@email{mdw@@ebi.ac.uk}) |
81 | @page |
82 | |
83 | @vskip 0pt plus 1filll |
84 | |
85 | Copyright @copyright{} 1997 European Bioinformatics Institute. |
86 | |
87 | Permission is granted to make and distribute verbatim copies of this |
88 | manual provided the copyright notice and this permission notice are |
89 | preserved on all copies. |
90 | |
91 | Permission is granted to copy and distribute modified versions of this |
92 | manual under the conditions for verbatim copying, provided also that the |
93 | sections entitled `Copying' and `GNU General Public License' are |
94 | included exactly as in the original, and provided that the entire |
95 | resulting derived work is distributed under the terms of a permission |
96 | notice identical to this one. |
97 | |
98 | Permission is granted to copy and distribute translations of this manual |
99 | into another language, under the above conditions for modified versions, |
100 | except that this permission notice may be stated in a translation |
101 | approved by the European Bioinformatics Institute. |
102 | |
103 | @end titlepage |
104 | |
105 | |
106 | @c -------------------------------------------------------------------------- |
107 | @ifinfo |
108 | @node Top, Copying, (dir), (dir) |
109 | @top Become |
110 | |
111 | |
112 | Become is a system for managing shared accounts. It allows users to |
113 | `become' other users in order to do useful work. It can be managed on a |
114 | central server (or a small number of central servers), or it can run |
115 | standalone. |
116 | |
117 | This file documents Become version @value{version}. |
118 | |
119 | @end ifinfo |
120 | |
121 | @menu |
122 | * Copying:: Your rights to distribute and modify |
123 | * Introduction:: A brief introduction to Become |
124 | * Becoming someone else:: How to become somebody else |
125 | * Administering Become:: How to maintain Become |
126 | * Invoking Become:: Reference to Become's command line options |
127 | |
128 | --- The Detailed Node Listing --- |
129 | |
130 | Becoming someone else |
131 | |
132 | * Terminology:: Some important terms defined |
133 | * Environment:: Login styles and environment variables |
134 | * Group permissions:: How Become handles group permissions |
135 | * X authority:: Problems with X authority files |
136 | * Running commands:: Running commands other than a shell |
137 | |
138 | How Become sets up the environment |
139 | |
140 | * New environment variables:: Become adds some useful environment variables |
141 | * Login styles:: Choose how Become sets the environment |
142 | * Tweaking the environment:: Altering individual environment variables |
143 | * Removed variables:: Some environment variables aren't passed on |
7a53967a |
144 | |
145 | Login styles |
146 | |
147 | * The preserve style:: Preserve the current environment |
148 | * The set-user style:: Set user-specific variables (like @code{su}) |
149 | * The login style:: Clear the environment (like @code{login}) |
150 | |
151 | How Become handles groups |
152 | |
153 | * Primary group selection:: Setting the new primary group |
154 | * Subsidiary groups:: Setting subsidiary group memberships |
155 | |
156 | Considerations for X authority |
157 | |
158 | * The user-group method:: A secure method for handling X authority |
159 | * Using xauth:: A less secure method, which might be easier |
160 | |
161 | Become administration |
162 | |
163 | * Configuration files:: Overview of Become's configuration files |
164 | * Standalone or networked:: The two main types of Become installations |
165 | * The configuration file:: How to define who's allowed to do what |
69805471 |
166 | * Networked configuration:: Considerations for networked installations |
7a53967a |
167 | |
168 | The configuration file |
169 | |
170 | * Basic syntax:: Quick overview of Become's syntax |
171 | * Classes:: Defining classes of things |
172 | * Predefined classes:: Become predefines some (maybe) useful classes |
173 | * Allow statements:: Allow users to become other users |
174 | * Other statements:: Some other useful statements |
175 | * Example configuration file:: An example, showing a few features. |
176 | * Complete grammar:: Complete grammar for Become config files |
177 | |
178 | Networked configuration |
179 | |
180 | * Choosing servers:: Which servers Become tries to talk to |
181 | * Setting up keys:: How to generate keys for Become |
182 | * Random number files:: Become keeps random number state around |
183 | * Issuing a new key:: How to issue new keys without disruption |
184 | |
185 | Setting up keys |
186 | |
187 | * Invoking keygen:: How to use the @code{keygen} program |
188 | |
189 | Invoking Become |
190 | |
191 | * Becoming another user:: Options for becoming another user |
192 | * Starting Become daemons:: Options for starting Become daemons |
193 | * Debugging options:: Options to use when Become goes wrong |
194 | @end menu |
195 | |
196 | @c -------------------------------------------------------------------------- |
197 | @node Copying, Introduction, Top, Top |
198 | @unnumbered The GNU General Public License |
199 | |
200 | |
201 | @include gpl.texi |
202 | |
203 | |
204 | @c -------------------------------------------------------------------------- |
205 | @node Introduction, Becoming someone else, Copying, Top |
206 | @unnumbered Introduction |
207 | |
208 | |
209 | It's often useful to be able to share accounts between a number of |
210 | users. For example, a group maintaining an externally visible service |
211 | need to be able to start and kill the server process. Giving such a |
212 | shared account a password is a fairly bad plan: such passwords tend not |
213 | to get changed very often, and they have a habit of spreading beyond the |
214 | group of legitimate users. |
215 | |
216 | The Become program presented here offers a solution to the problems of |
217 | shared accounts. It allows the system adminstrator to define which |
218 | users are allowed access to which accounts, on which hosts, and to |
219 | execute which commands. Such shared accounts can then, in general, have |
220 | their passwords removed. |
221 | |
222 | This coincidentally has another advantage: when `becoming' to a shared |
223 | account, a user can retain her@footnote{Or his. I'll choose one or the |
224 | other fairly randomly throughout this manual.} own environment, which |
225 | she's carefully crafted and honed over the years, rather then being |
226 | presented with some lowest-common-denominator setup which probably |
227 | doesn't even use the right shell. |
228 | |
229 | The configuration file for Become can either be distributed to all the |
230 | various hosts in a network or a few carefully set up and secure servers |
231 | (@pxref{Standalone or networked}). |
232 | |
233 | |
234 | @c -------------------------------------------------------------------------- |
235 | @node Becoming someone else, Administering Become, Introduction, Top |
236 | @chapter Becoming someone else |
237 | |
238 | |
239 | The simplest way to become someone else is to say |
240 | |
241 | @example |
242 | become @var{user} |
243 | @end example |
244 | |
245 | @noindent |
246 | Become will check to see whether you're allowed to become @var{user}. If you |
247 | are, it starts a shell process with the user-id set to @var{user}. Any |
248 | commands you type are executed with the privileges of @var{user}. |
249 | |
250 | The full invocation is slightly more complicated: |
251 | |
252 | @example |
253 | become [@var{option}@dots{}] [@var{env-var}@dots{}] @var{user} [@var{command} [@var{arg}@dots{}]] |
254 | @end example |
255 | |
256 | Actually, the @var{option}s, @var{env-var}s and @var{user} can be in any |
257 | order -- the important point is that all of them appear before the |
258 | @var{command}, if there is one. |
259 | |
260 | @menu |
261 | * Terminology:: Some important terms defined |
262 | * Environment:: Login styles and environment variables |
263 | * Group permissions:: How Become handles group permissions |
264 | * X authority:: Problems with X authority files |
265 | * Running commands:: Running commands other than a shell |
266 | @end menu |
267 | |
268 | |
269 | |
270 | @node Terminology, Environment, Becoming someone else, Becoming someone else |
271 | @section Terminology |
272 | |
273 | The following terms get used quite a bit in the following text: |
274 | |
275 | @table @asis |
276 | @item request |
277 | An invocation of Become, asking permission to become another user. |
278 | |
279 | @item old user |
280 | The (real) user id of the process which invoked Become; usually, this will be |
281 | your normal user id. |
282 | |
283 | @item target user |
284 | The user whom you want to become, named in a request. |
285 | @end table |
286 | |
287 | |
288 | |
289 | @node Environment, Group permissions, Terminology, Becoming someone else |
290 | @section How Become sets up the environment |
291 | |
292 | There are thorny problems with handling the user's environment. It seems |
293 | that (the author's initial assessment notwithstanding) there is no single |
294 | best way of handling environment variables. As a result, Become can do just |
295 | about everything you might want it to. This gets slightly complicated. |
296 | Don't worry: it's not as hard as all that. |
297 | |
298 | @menu |
299 | * New environment variables:: Become adds some useful environment variables |
300 | * Login styles:: Choose how Become sets the environment |
301 | * Tweaking the environment:: Altering individual environment variables |
302 | * Removed variables:: Some environment variables aren't passed on |
7a53967a |
303 | @end menu |
304 | |
305 | |
306 | @node New environment variables, Login styles, Environment, Environment |
307 | @subsection Environment variables created by Become |
308 | |
309 | To help you (and, more importantly, your startup scripts) keep track of who |
310 | you are, and who you were originally, Become adds some variables to the |
311 | environment of any processes it starts. |
312 | |
313 | @table @code |
314 | @item BECOME_USER |
315 | The name of the target user (i.e., the user you are now). It might be useful |
316 | to test this value in shell startup scripts, for example. |
317 | |
318 | @item BECOME_HOME |
319 | The home directory of the target user. It can be handy to read startup and |
320 | other configuration files from here. |
321 | |
322 | @item BECOME_OLD_USER |
323 | The name of the user who invoked Become. |
324 | |
325 | @item BECOME_OLD_HOME |
326 | The home directory of the `old' user. |
327 | |
328 | @item BECOME_ORIGINAL_USER |
329 | This is intended to be the name you logged in with. If it's unset, Become |
330 | sets it to be the same as @code{BECOME_OLD_USER}; otherwise it leaves it |
331 | unchanged. |
332 | |
333 | @item BECOME_ORIGINAL_HOME |
334 | This is intended to be the home directory you logged in with. If it's unset, |
335 | Become sets it to be the same as @code{BECOME_OLD_HOME}; otherwise, it leaves |
336 | it unchanged. |
337 | @end table |
338 | |
339 | Don't even think about relying on these variables as a form of |
340 | authentication. It won't work. They're provided only to help organise |
341 | startup scripts. |
342 | |
343 | |
344 | |
345 | @node Login styles, Tweaking the environment, New environment variables, Environment |
346 | @subsection Login styles |
347 | |
348 | Originally, Become always tried to preserve your environment. There's a |
349 | rational explanation for this approach, which is given in the description of |
350 | the `preserve' style below. Unfortunately, not everyone liked this |
351 | approach. As a result, there's now a collection of different login styles. |
352 | |
353 | Login styles are selected by giving command line arguments: |
354 | |
355 | @table @code |
356 | @item -p |
357 | @itemx --preserve |
358 | The original style: try to preserve the existing user's environment as much |
359 | as possible. |
360 | |
361 | @item -s |
362 | @itemx --set-user |
363 | Set some user-specific variables, like @code{USER} and @code{HOME} to reflect |
364 | the target user rather than the old user. All other variables are preserved. |
365 | |
366 | @item -l |
367 | @itemx --login |
368 | Attempts to make the `become' process as much like a real login as possible. |
369 | All variables not explicitly preserved are deleted, and a new environment is |
370 | built, reflecting the target user. |
371 | @end table |
372 | |
373 | The various styles, and the reasons behind them, are described below. |
374 | |
375 | @menu |
376 | * The preserve style:: Preserve the current environment |
377 | * The set-user style:: Set user-specific variables (like @code{su}) |
378 | * The login style:: Clear the environment (like @code{login}) |
379 | @end menu |
380 | |
381 | |
382 | @node The preserve style, The set-user style, Login styles, Login styles |
383 | @subsubsection The `preserve' login style |
384 | |
385 | You've spent many hours (days? weeks, even?) customising and honing your |
386 | startup files, learning how to use your shell, and tweaking your favourite |
387 | text editor until it's just the way you like it. So there can be few things |
388 | more annoying than logging into a shared account to find out that the shell's |
389 | wrong, your editor startup files are ignored, and nothing works quite the way |
390 | you'd like it to. Typically you can't change this without annoying the other |
391 | users: the result is a horrible compromise which dissatisfies everyone |
392 | equally. |
393 | |
394 | The `preserve' style lets you take your standard environment with you when |
395 | you become someone else. It tries hard not to modify any environment |
396 | variables. |
397 | |
398 | Become starts your standard shell. If you have an environment variable |
399 | @code{SHELL} defined, than this is executed. Otherwise, the shell specified |
400 | in your entry in the password file is used. (You must have permission to |
401 | execute whatever shell is chosen as the target user, or you'll just be given |
402 | an error message.) |
403 | |
404 | Most programs look at environment variables in preference to looking up |
405 | entries in the password database; e.g., they tend to use @code{USER} or |
406 | @code{LOGNAME} for the user name, and @code{HOME} for your home directory. |
407 | As a result, most programs will continue to find their configuration files in |
408 | your home directory. Also, systems like RCS will use your real name, rather |
409 | than the name of the user that you have become. |
410 | |
411 | To make best use of this login style, you may need to adjust your login |
412 | scripts to notice when @code{BECOME_USER} is someone else, and read in |
413 | appropriate definitions. For example, a `bash' user might say something like |
414 | this in her @file{.bashrc}: |
415 | |
416 | @example |
417 | if [ -n "$BECOME_HOME" ]; then . $BECOME_HOME/.bashrc |
418 | @end example |
419 | |
420 | @noindent |
421 | Similarly, a C shell user (either `tcsh' or `csh') might say something like |
422 | |
423 | @example |
424 | if ($?BECOME_HOME) source $@{BECOME_HOME@}/.cshrc |
425 | @end example |
426 | |
427 | (Note that plain Bourne shell users have a slight problem, because the Bourne |
428 | shell only reads configuration things on a login, not when a normal |
429 | interactive shell is started.) |
430 | |
431 | |
432 | @node The set-user style, The login style, The preserve style, Login styles |
433 | @subsubsection The `set-user' login style |
434 | |
435 | The author sees the main use of Become as allowing a user to acquire the |
436 | privileges associated with a shared account without all the problems which |
437 | shared accounts usually cause. To the author's way of thinking, one of the |
438 | main problems is that your environment gets replaced by something alien and |
439 | wrong. People disagree with me over this point, and for this reason the |
440 | `set-user' style exists. |
441 | |
442 | The objective of `set-user' style is to behave similarly to the standard |
443 | @code{su} command. Unless they've been preserved explicitly (@pxref{Tweaking |
444 | the environment}), `set-user' mode sets the following environment variables: |
445 | |
446 | @table @code |
447 | @item USER |
448 | @itemx LOGNAME |
449 | The name of the target user. |
450 | |
451 | @item HOME |
452 | The home directory of the target user. |
453 | |
454 | @item SHELL |
455 | The target user's default shell |
456 | @end table |
457 | |
458 | The result of this is that the shell will read the target user's |
459 | configuration files and present you with the environment set up there. |
460 | |
461 | I can't think of this style as being anything other than a migration aid |
462 | while users are getting used to the freedom offered by the `preserve' style. |
463 | |
464 | |
465 | @node The login style, , The set-user style, Login styles |
466 | @subsubsection The `login' login style |
467 | |
468 | The `login' style causes Become to attempt to emulate a full login. Become |
469 | will empty the environment of any variables which aren't explicitly preserved |
470 | (@pxref{Tweaking the environment}). It will then set the following |
471 | variables: |
472 | |
473 | @table @code |
474 | @item USER |
475 | @itemx LOGNAME |
476 | The name of the target user. |
477 | |
478 | @item HOME |
479 | The home directory of the target user. |
480 | |
481 | @item SHELL |
482 | The target user's default shell |
483 | |
484 | @item MAIL |
485 | An educated guess at where the target user's mailbox is. |
486 | @end table |
487 | |
488 | By default, it runs the target user's shell, informing it that this is a |
489 | login by setting the first character of @code{argv[0]} to @samp{-}. |
490 | |
491 | Become makes no entries in the @file{utmp} and @file{wtmp} files. |
492 | |
493 | |
494 | |
495 | @node Tweaking the environment, Removed variables, Login styles, Environment |
496 | @subsection Tweaking individual environment variables |
497 | |
498 | Become's login styles provide a sort of course-grained control over the |
499 | environment. Sometimes the control isn't fine enough. Become lets you tweak |
500 | individual variables: you can set, delete, or preserve named variables from |
501 | modification. |
502 | |
503 | There are three different things you can do with environment variables: |
504 | |
505 | @itemize @bullet |
506 | @item |
507 | Set a variable called @var{var} to a value @var{value}, by saying |
508 | |
509 | @example |
510 | @var{var}=@var{value} |
511 | @end example |
512 | |
513 | @noindent |
514 | The variable is preserved from automatic deletion by the login-style rules. |
515 | |
516 | @item |
517 | Delete a variable called @var{var} from the environment, by saying |
518 | |
519 | @example |
520 | @var{var}- |
521 | @end example |
522 | |
523 | @item |
524 | Preserve a variable @var{var} from being deleted or modified by Become's |
525 | login-style rules, but not change its value, by saying |
526 | |
527 | @example |
528 | @var{var}! |
529 | @end example |
530 | @end itemize |
531 | |
532 | Just to try and make this slightly more sensible, here's an example. Suppose |
533 | I want my @code{XAUTHORITY} variable to be set when I become user `fred': |
534 | |
535 | @example |
536 | become XAUTHORITY=$HOME/.Xauthority fred |
537 | @end example |
538 | |
539 | @noindent |
540 | should do the job nicely. Similarly, if I want to log in as `bob', but don't |
541 | want my @code{EDITOR} variable to change: |
542 | |
543 | @example |
544 | become --login EDITOR! bob |
545 | @end example |
546 | |
547 | @noindent |
548 | (Of course, in this example, I'm at the mercy of Bob's shell init files as to |
549 | whether his choice of editor overrides mine.) |
550 | |
551 | |
552 | |
69805471 |
553 | @node Removed variables, , Tweaking the environment, Environment |
7a53967a |
554 | @subsection Variables removed from the environment |
555 | |
556 | Some variables are removed from the environment which Become passes to a |
557 | program for security reasons: |
558 | |
559 | @table @code |
560 | @item LD_* |
561 | @itemx SHLIB_PATH |
562 | @itemx LIBPATH |
563 | @itemx _RLD_* |
564 | These variables are used on various systems as a search path for shared |
565 | libraries. Clearly, by manipulating these search paths, an attacker could |
566 | replace a standard shared library with one of his own. |
567 | |
568 | @item IFS |
569 | The shell input field separator. Modifying this variable radically alters |
570 | the way shells parse their inputs. (In particular, consider the case where |
571 | @code{IFS} contains @samp{/}.) |
572 | |
573 | @item ENV |
574 | @itemx BASH_ENV |
575 | Used by some shells: it contains the name of a file to read on every shell |
576 | invocation. |
577 | |
578 | @item KRB_CONF |
579 | @ignore |
580 | I'm not really sure what's going on here, so I'll just have to bluff my way |
581 | through. I think that the following is more-or-less accurate, having browsed |
582 | a small amount of Kerberos-related documentation. |
583 | @end ignore |
584 | Contains the name of a Kerberos configuration file. By manipulating this |
585 | variable, an attacker could persuade a program to believe the wrong |
586 | authentication server. |
587 | @end table |
588 | |
589 | Also note that the @code{PATH} variable is modified: any items which aren't |
590 | absolute pathnames are removed from the path. This check may become stricter |
591 | in future, although getting the balance between security and convenience is |
592 | particularly hard here. |
593 | |
594 | |
595 | |
7a53967a |
596 | @node Group permissions, X authority, Environment, Becoming someone else |
597 | @section How Become handles groups |
598 | |
599 | As well as handling changes of user id, Become also changes group ids. |
600 | The exact changes Become makes are under user control. |
601 | |
602 | @menu |
603 | * Primary group selection:: Setting the new primary group |
604 | * Subsidiary groups:: Setting subsidiary group memberships |
605 | @end menu |
606 | |
607 | |
608 | @node Primary group selection, Subsidiary groups, Group permissions, Group permissions |
609 | @subsection Choosing a new primary group |
610 | |
611 | By default, the primary group is chosen according to the login style |
612 | (@pxref{Login styles}): the `preserve' style retains the current primary |
613 | group, while `set-user' and `login' styles choose the target's primary group. |
614 | |
615 | You can override Become's default choice using the @code{--group} (@code{-g} |
616 | for short) option: |
617 | |
618 | @example |
619 | become --group=@var{group} @dots{} |
620 | @end example |
621 | |
622 | The chosen @var{group} may be either a group name or a numeric gid. The |
623 | group must be one of the following: |
624 | |
625 | @itemize @bullet |
626 | @item |
627 | Your current primary group. |
628 | @item |
629 | One of your current subsidiary groups. |
630 | @item |
631 | The target user's primary group. |
632 | @item |
633 | One of the target user's subsidiary groups. |
634 | @end itemize |
635 | |
636 | Become will raise an error if this isn't the case. |
637 | |
638 | |
639 | @node Subsidiary groups, , Primary group selection, Group permissions |
640 | @subsection Handling subsidiary group memberships |
641 | |
642 | Subsidiary group memberships are a powerful tool for managing permissions |
643 | under Unix. Traditionally, they tend to be tied to particular users. Become |
644 | tries to be sightly more intelligent about group memberships. |
645 | |
646 | Become has a concept of @dfn{group style}, analogous to login style |
647 | (@pxref{Login styles}). The styles are selected by giving command line |
648 | arguments: |
649 | |
650 | @table @code |
651 | @item -k |
652 | @itemx --keep-groups |
653 | Retain the existing group memberships; don't add any new groups. |
654 | |
655 | @item -m |
656 | @itemx --merge-groups |
657 | Merge group memberships of the target user with the exiting memberships. |
658 | |
659 | @item -r |
660 | @itemx --replace-groups |
661 | Replace the existing group memberships with the target user's memberships. |
662 | @end table |
663 | |
664 | Again, the defaults are dependent on the chosen login style. Both `preserve' |
665 | and `set-user' merge group memberships; the `login' style replaces the set of |
666 | groups. |
667 | |
668 | Note that you can do perverse things like replace all the subsidiary groups |
669 | but retain your primary group (using the @code{--group} option; |
670 | @pxref{Primary group selection}) if you like: Become won't try to stop you. |
671 | |
672 | |
673 | |
674 | @node X authority, Running commands, Group permissions, Becoming someone else |
675 | @section Considerations for X authority |
676 | |
677 | Other users can't read your @file{.Xauthority} file, if you have one. This |
678 | is as it should be: anyone who can read it can connect to your X server and |
679 | read or generate events. However, once you've become another user, you can't |
680 | open any X windows; this can be annoying if your favourite editor is X-based. |
681 | |
682 | There are two basic approaches. Either you can send the shared account a |
683 | copy of your display's magic cookie, or you can retain permission to read the |
684 | cookie file. |
685 | |
686 | @menu |
687 | * The user-group method:: A secure method for handling X authority |
688 | * Using xauth:: A less secure method, which might be easier |
689 | @end menu |
690 | |
691 | |
692 | @node The user-group method, Using xauth, X authority, X authority |
693 | @subsection The user-group method for handling X authority |
694 | |
695 | This method is completely secure only if your site uses the `user-group' |
696 | system. In this system, each user is allocated a group containing only that |
697 | user. Usually this is made the user's default primary group, although that's |
698 | not necessary here. |
699 | |
700 | When you start a new X session, ensure that your cookie file is owned by you |
701 | and your private group. Change the file's permissions so that it's group |
702 | readable. Finally, ensure that your private group is retained when you |
703 | become someone else (@pxref{Group permissions}), and that the |
704 | @code{XAUTHORITY} variable is set correctly. |
705 | |
706 | The following Bourne shell code in a @file{.xinitrc} should do most of the |
707 | work: |
708 | |
709 | @example |
710 | XAUTHORITY="$HOME/.Xauthority" |
711 | export XAUTHORITY |
712 | chgrp mygroup $XAUTHORITY |
713 | chmod 640 $XAUTHORITY |
714 | @end example |
715 | |
716 | @noindent |
717 | In a C shell, this becomes |
718 | |
719 | @example |
720 | setenv XAUTHORITY $@{HOME@}/.Xauthority |
721 | chgrp mygroup $XAUTHORITY |
722 | chmod 640 $XAUTHORITY |
723 | @end example |
724 | |
725 | The @code{XAUTHORITY} file is preserved by both the `preserve' and `set-user' |
726 | login styles, so this isn't a problem. You can now become other users, and |
727 | your X permissions will follow you around correctly. |
728 | |
729 | It's probably worth noting that the @code{xauth} program annoyingly resets |
730 | the permissions on the cookie file every time it writes to it. This will be |
731 | particularly irritating if you use @code{ssh}'s X forwarding capabilities, |
732 | because every @code{ssh} connection will reset the permissions. You can deal |
733 | with this problem by putting a line |
734 | |
735 | @example |
736 | chmod 640 $@{XAUTHORITY-$HOME/.Xauthority@} 2>/dev/null |
737 | @end example |
738 | |
739 | @noindent |
740 | in your @file{.bashrc} or @file{.profile} (for Bourne-like shell users) or |
741 | |
742 | @example |
743 | if ($?XAUTHORITY) then |
744 | chmod 640 $XAUTHORITY >&/dev/null |
745 | else |
746 | chmod 640 $@{HOME@}/.Xauthority >&/dev/null |
747 | endif |
748 | @end example |
749 | |
750 | @noindent |
751 | in @file{.cshrc} for C shell users. |
752 | |
753 | |
754 | |
755 | @node Using xauth, , The user-group method, X authority |
756 | @subsection The `xauth' method for handling X authority |
757 | |
758 | This method sends your X cookie to the shared account. It's therefore |
759 | intrinsically dangerous: you must be able to trust the other users of the |
760 | shared account not to take undue advantage of this situation. |
761 | |
762 | The following (Bourne) shell snippet illustrates how you might send an |
763 | authorisation cookie to the shared account, to allow it to connect to your |
764 | display: |
765 | |
766 | @example |
767 | if test -n "$BECOME_HOME"; then |
768 | XAUTHORITY="$BECOME_HOME/.Xauthority"; export XAUTHORITY |
769 | elif test -n "$DISPLAY" && test -z "done_xauth_cookie"; then |
770 | case "$DISPLAY" in |
771 | :0.0) display=`hostname`:0.0 ;; |
772 | *) display="$DISPLAY" ;; |
773 | esac |
774 | xauth extract - $display | \ |
775 | become someone -c 'xauth -f $BECOME_HOME/.Xauthority merge -' |
776 | done_xauth_cookie=yes; export done_xauth_cookie |
777 | fi |
778 | @end example |
779 | |
780 | The equivalent C shell code is |
781 | |
782 | @example |
783 | if ($?BECOME_HOME) then |
784 | setenv XAUTHORITY "$@{BECOME_HOME@}/.Xauthority |
785 | else if ($?DISPLAY && ! $?done_xauth_cookie) then |
786 | if ($DISPLAY == :0.0) then |
787 | set display="`hostname`:0.0" |
788 | else |
789 | set display="$DISPLAY" |
790 | endif |
791 | xauth extract - $display | \ |
792 | become someone -c 'xauth -f $BECOME_HOME/.Xauthority merge -' |
793 | endif |
794 | @end example |
795 | |
796 | It works as follows: |
797 | |
798 | @itemize @bullet |
799 | @item |
800 | If the variable @code{BECOME_HOME} is set, then we're probably really someone |
801 | else, so point to the shared account's authority file. |
802 | |
803 | @item |
804 | Otherwise, check to see whether we have a display, and the authorisation has |
805 | not already been sent. If this is so, resolve a local display name into a |
806 | remote one (just in case) and then send it to the shared account. |
807 | @end itemize |
808 | |
809 | |
810 | |
811 | @node Running commands, , X authority, Becoming someone else |
812 | @section Executing specific commands |
813 | |
814 | As well as starting shells, Become can run single commands. This can be |
815 | useful in two ways: |
816 | |
817 | @itemize @bullet |
818 | @item |
819 | It enables Become to be used in scripts. |
820 | |
821 | @item |
822 | It allows access to shared accounts to be controlled on the basis of the |
823 | command to be run. |
824 | @end itemize |
825 | |
826 | To run a command as another user, say: |
827 | |
828 | @example |
829 | become @var{user} @var{command} [@var{argument}@dots{}] |
830 | @end example |
831 | |
832 | If the request is granted, Become runs @var{command}, passing it any |
833 | arguments following the command name. Become doesn't run a shell, so there's |
834 | no extra escaping which needs to be done. |
835 | |
836 | If you really want to run a shell command as another user, you can use the |
837 | @code{-c} option: |
838 | |
839 | @example |
840 | become @var{user} -c @var{shell-command} |
841 | @end example |
842 | |
843 | This is exactly equivalent to |
844 | |
845 | @example |
846 | become @var{user} /bin/sh -c @var{shell-command} |
847 | @end example |
848 | |
849 | in every way. In particular, you must have permission to run @file{/bin/sh} |
850 | as @var{user} for it to work: Become doesn't attempt to interpret the shell |
851 | command in any way. Also note that Become always uses the Bourne shell, |
852 | regardless of your current shell preference, or @var{user}'s default shell. |
853 | (This is done to provide a stable programming interface which works |
854 | irrespective of changes to the shared account's configuration.) |
855 | |
856 | |
857 | @c -------------------------------------------------------------------------- |
858 | @node Administering Become, Invoking Become, Becoming someone else, Top |
859 | @chapter Become administration |
860 | |
861 | |
862 | This chapter will explain how Become is administrated and maintained. |
863 | |
864 | @menu |
865 | * Configuration files:: Overview of Become's configuration files |
866 | * Standalone or networked:: The two main types of Become installations |
867 | * The configuration file:: How to define who's allowed to do what |
868 | * Networked configuration:: Considerations for networked installations |
869 | @end menu |
870 | |
871 | |
872 | |
873 | @node Configuration files, Standalone or networked, Administering Become, Administering Become |
874 | @section Configuration files |
875 | |
876 | Become keeps its configuration and administrative files in a directory |
877 | usually named @file{/etc/become}, although this can be changed with the |
878 | @code{--with-etcdir} option to the configuration script when you build |
879 | Become. |
880 | |
881 | Not all of the files are needed on all machines. |
882 | |
883 | @table @file |
884 | @item become.conf |
885 | The main configuration file, containing a description of which users are |
886 | allowed to become which other users, where, and what they're allowed to run |
887 | when they get there. Only needed on servers or standalone machines. |
888 | |
889 | @item become.server |
890 | A list of servers to contact. Only needed on client machines. |
891 | |
892 | @item become.key |
893 | The encryption key to use when sending requests to servers. Needed on |
894 | clients and servers, but not on standalone machines. |
895 | |
896 | @item become.pid |
897 | The process id of the server. Created automatically by Become's server when |
898 | in starts up. |
899 | |
900 | @item become.random |
901 | Contains state information for Become's random number generator. Created |
902 | automatically if it doesn't exist. |
903 | @end table |
904 | |
905 | |
906 | @node Standalone or networked, The configuration file, Configuration files, Administering Become |
907 | @section Installation types |
908 | |
909 | |
910 | Become can be installed in two different ways, depending on how you want to |
911 | administer it: |
912 | |
913 | @itemize @bullet |
914 | @item |
915 | In a @dfn{standalone} installation, each Become request is dealt with |
916 | locally: the program reads the configuration file, and decides whether it |
917 | should grant or deny permission. |
918 | |
919 | Standalone installations don't depend on servers being available, or even on |
920 | the existance of a network. They're useful for small sites, or sites with a |
921 | small number of users. The disadvantages are that reading the configuration |
922 | file takes a while, so the program doesn't feel as responsive as it should, |
923 | and ensuring that all the hosts' configuration files are synchronised becomes |
924 | difficult when you have lots of machines. |
925 | |
926 | @item |
927 | In a @dfn{network} installation, any Become requests are sent on to a |
928 | collection of servers. The servers analyse the request and send a reply back |
929 | which either authorises or forbids access. |
930 | |
931 | A networked installation clearly depends on the servers' reliability. The |
932 | client reacts only to the first reply it receives, so as long as there is one |
933 | server running, everything should continue as normal. |
934 | |
935 | A networked installation is useful when you have a large number of client |
936 | machines, particularly ones which may not be awake all the time. The full |
937 | configuration file only needs to be installed on a small number of servers; |
938 | the clients require only a list of server machines to contact, and an |
939 | encryption key to use. |
940 | @end itemize |
941 | |
942 | |
943 | |
944 | @node The configuration file, Networked configuration, Standalone or networked, Administering Become |
945 | @section The configuration file |
946 | |
947 | The main configuration file, usually called @file{/etc/become/become.conf}, |
948 | contains all the rules which Become uses to decide whether to grant or deny |
949 | requests. It may also contain additional information for the benefit of |
950 | Become daemons, if you're using a networked installation. |
951 | |
952 | @menu |
953 | * Basic syntax:: Quick overview of Become's syntax |
954 | * Classes:: Defining classes of things |
955 | * Predefined classes:: Become predefines some (maybe) useful classes |
956 | * Allow statements:: Allow users to become other users |
957 | * Other statements:: Some other useful statements |
958 | * Example configuration file:: An example, showing a few features. |
959 | * Complete grammar:: Complete grammar for Become config files |
960 | @end menu |
961 | |
962 | |
963 | @node Basic syntax, Classes, The configuration file, The configuration file |
964 | @subsection Basic configuration file syntax |
965 | |
966 | The configuration file consists of a sequence of statements, each terminated |
967 | by a semicolon. |
968 | |
969 | Comments begin with a @samp{#} character, and continue to the end of the |
970 | line. This is the only time newlines behave specially: newlines behave just |
971 | like any other whitespace characters within statements. |
972 | |
973 | Strings are enclosed in double-quote characters (@samp{"}). Within a string, |
974 | a backslash causes the following character to be treated literally, whatever |
975 | it may be (including quotes, backslashes and newlines). |
976 | |
977 | Names begin with an alphabetic character or an underscore, and consist of |
978 | letters, digits and underscores. |
979 | |
980 | In general, ... |
981 | |
982 | |
983 | |
984 | @node Classes, Predefined classes, Basic syntax, The configuration file |
985 | @subsection Classes |
986 | |
987 | A @dfn{class} in Become is a set of users, hosts or commands. You can define |
988 | and name your own classes using statements of the form: |
989 | |
990 | @example |
991 | user @var{name} = @var{class-expr} ; |
992 | command @var{name} = @var{class-expr} ; |
993 | host @var{name} = @var{class-expr} ; |
994 | @end example |
995 | |
996 | A @var{class-expr} is an expression defining a class. You can build a |
997 | complex class out of simple classes using the operators (in ascending |
998 | precedence order) @samp{,}, @samp{-}, @samp{|} and @samp{&}, which represent |
999 | the set options `union', `subtraction', `union' (again!), and `intersection'. |
1000 | Subexpressions can be parenthesised to override the default precedence. |
1001 | Once a class name has been defined, as shown above, it can be used in |
1002 | subsequent class expressions. |
1003 | |
1004 | A single user may be designated by either a user name (in quotes) or an |
1005 | integer uid. Commands and hosts may be designated by quoted strings which |
1006 | may contain wildcards. Host strings are matched against both numeric (dotted |
1007 | quad) IP addresses and the reverse-resolved hostname. Command strings are |
1008 | matched against the absolute pathname of the command the user wants to |
1009 | execute. |
1010 | |
1011 | |
1012 | |
1013 | @node Predefined classes, Allow statements, Classes, The configuration file |
1014 | @subsection Predefined classes |
1015 | |
1016 | In an attempt to make life a bit easier, Become creates a collection of |
1017 | predefined classes. |
1018 | |
1019 | The standard classes @code{all} and @code{none} match anything and nothing |
1020 | respectively. The @code{all} class is useful in some contexts: it gives you |
1021 | a way of saying `everything except@dots{}', for example: |
1022 | |
1023 | @example |
1024 | user MUNDANES = all - SYSHACKS; |
1025 | @end example |
1026 | |
1027 | @noindent |
1028 | The @code{none} class isn't particularly useful in itself. It's there for |
1029 | completeness. |
1030 | |
1031 | Become also defines some other classes: |
1032 | |
1033 | @itemize @bullet |
1034 | @item |
1035 | For each username @var{user}, Become adds a class called @samp{@var{user}} |
1036 | which matches just that user. |
1037 | |
1038 | @item |
1039 | For each group name @var{group}, Become creates a class called |
1040 | @samp{@var{group}} which matches any user who is a member of that group. |
1041 | |
1042 | @item For each netgroup @var{netgroup}, Become creates two classes: |
1043 | @samp{u_@var{netgroup}} which matches any user listed in the netgroup, and |
1044 | @samp{h_@var{netgroup}} which matches any host listed in the netgroup. |
1045 | @end itemize |
1046 | |
1047 | If a name is used for both a user @emph{and} a group, then corresponding |
1048 | class ends up containing the user together with all of the group members. |
1049 | For this reason, it's probably better to use the predefined classes for |
1050 | groups rather than individual users -- use quoted user names for individual |
1051 | users. |
1052 | |
1053 | Note that users and groups are read using the standard @code{get*ent} calls |
1054 | @emph{and} directly from the NIS server (if there is one). The idea here is |
1055 | that a Become server can be run on a machine which allows restricted logins. |
1056 | It still needs to know about all the users known to the outside world. |
1057 | |
1058 | Netgroups are read only from the NIS servers. In particular, although GNU |
1059 | systems allow netgroup databases to be stored in local files, Become wonn't |
1060 | read them because there's no defined interface for enumerating netgroups. |
1061 | |
1062 | |
1063 | @node Allow statements, Other statements, Predefined classes, The configuration file |
1064 | @subsection Allow statements |
1065 | |
1066 | Defining classes is just a means to an end. The end is to specify which |
1067 | users are allowed to do what, where, and as whom. This is done with an |
1068 | @code{allow} statement: |
1069 | |
1070 | @example |
1071 | allow [[@var{host-class}]] [@var{user-class}] -> [@var{user-class}] [ : @var{command-class}] |
1072 | @end example |
1073 | |
1074 | (The @var{host-class} is optional, but must be enclosed in square brackets if |
1075 | present.) |
1076 | |
1077 | The four classes in an allow statement are called, respectively, the `host', |
1078 | the `to-user', the `from-user' and the `command'. Any of the four classes |
1079 | may be omitted, and an omitted class defaults to `all'. |
1080 | |
1081 | When a request is received, Become checks the fields in the request against |
1082 | the classes in each allow statement of the configuration file. If a |
1083 | statement matches, the request is granted; if there are no full matches, |
1084 | the request is denied. |
1085 | |
1086 | |
1087 | @node Other statements, Example configuration file, Allow statements, The configuration file |
1088 | @subsection Other statements |
1089 | |
1090 | Two other statement types are defined. They only have an effect on Become in |
1091 | daemon mode: |
1092 | |
1093 | @example |
1094 | port @var{port} ; |
1095 | keyfile @var{key-file} ; |
1096 | @end example |
1097 | |
1098 | @noindent |
1099 | The @code{port} statement specifies the port to which the server should |
1100 | listen; the @var{port} may be be an integer or a quoted service name. The |
1101 | @code{keyfile} statement instructs Become to use the key from the file named |
1102 | @var{key-file}, which must be a quoted string. |
1103 | |
1104 | |
1105 | @node Example configuration file, Complete grammar, Other statements, The configuration file |
1106 | @subsection An example configuration file |
1107 | |
1108 | @example |
1109 | # |
1110 | # become.conf |
1111 | # |
1112 | # Example configuration file |
1113 | # |
1114 | |
1115 | allow wheel -> "root"; |
1116 | |
1117 | user NEWS = "fred", "jim"; |
1118 | allow NEWS -> "news"; |
1119 | |
1120 | user HTTP = "jim", "bob"; |
1121 | allow HTTP -> "httpd" : "/bin/kill", "/etc/init.d/httpd"; |
1122 | @end example |
1123 | |
1124 | |
1125 | @node Complete grammar, , Example configuration file, The configuration file |
1126 | @subsection Complete grammar for configuration files |
1127 | |
1128 | @format |
1129 | @var{file} ::= @var{file} @var{statement} |
1130 | |
1131 | @var{statement} ::= @var{class-def} |
1132 | | @var{allow-spec} |
1133 | | @var{port-spec} |
1134 | | @var{key-spec} |
1135 | |
1136 | @var{class-def} ::= @samp{user} @var{name} = @var{class-expr} @samp{;} |
1137 | | @samp{command} @var{name} = @var{class-expr} @samp{;} |
1138 | | @samp{host} @var{name} = @var{class-expr} @samp{;} |
1139 | |
1140 | @var{allow-spec} ::= @samp{allow} @var{opt-host-spec} @var{opt-user-spec} |
1141 | @samp{->} @var{opt-user-spec} @var{opt-command-spec} @samp{;} |
1142 | |
1143 | @var{opt-host-spec} ::= @samp{[} @var{class-expr} @samp{]} |
1144 | | @var{empty} |
1145 | |
1146 | @var{opt-user-spec} ::= @var{class-expr} |
1147 | | @var{empty} |
1148 | |
1149 | @var{opt-command-spec} ::= @samp{:} @var{class-expr} |
1150 | | @var{empty} |
1151 | |
1152 | @var{port-spec} ::= @samp{port} @var{integer} @samp{;} |
1153 | | @samp{port} @var{string} @samp{;} |
1154 | |
1155 | @var{key-spec} ::= @samp{keyfile} @var{string} @samp{;} |
1156 | |
1157 | @var{class-expr} ::= @var{class-diff-expr} |
1158 | | @var{class-expr} @samp{,} @var{class-diff-expr} |
1159 | |
1160 | @var{class-diff-expr} ::= @var{class-isect-expr} |
1161 | | @var{class-diff-expr} @samp{-} @var{class-union-expr} |
1162 | |
1163 | @var{class-union-expr} ::= @var{class-isect-expr} |
1164 | | @var{class-union-expr} @samp{|} @var{class-isect-expr} |
1165 | |
1166 | @var{class-isect-expr} ::= @var{class-primary} |
1167 | | @var{class-isect-expr} @samp{&} @var{class-primary} |
1168 | |
1169 | @var{class-primary} ::= @samp{(} @var{class-expr} @samp{)} |
1170 | | @var{string} |
1171 | | @var{integer} |
1172 | |
1173 | @var{integer} ::= one or more digits (@samp{0}--@samp{9}) |
1174 | |
1175 | @var{name} ::= an alphabetic character or underscore, followed by zero or |
1176 | more alphanumeric characters or underscores |
1177 | |
1178 | @var{string} ::= @samp{"} @var{string-chars} @samp{"} |
1179 | |
1180 | @var{string-chars} ::= @var{string-chars} @var{string-char} |
1181 | | @var{empty} |
1182 | |
1183 | @var{string-char} ::= a @samp{\} followed by any character |
1184 | | any character other than @samp{"}, @samp{\} or newline |
1185 | |
1186 | @var{empty} ::= |
1187 | @end format |
1188 | |
1189 | |
1190 | @node Networked configuration, , The configuration file, Administering Become |
1191 | @section Networked configuration |
1192 | |
1193 | If you're planning to use Become in a standalone way, you can skip this |
1194 | section. |
1195 | |
1196 | @menu |
1197 | * Choosing servers:: Which servers Become tries to talk to |
1198 | * Setting up keys:: How to generate keys for Become |
1199 | * Random number files:: Become keeps random number state around |
1200 | * Issuing a new key:: How to issue new keys without disruption |
1201 | @end menu |
1202 | |
1203 | |
1204 | @node Choosing servers, Setting up keys, Networked configuration, Networked configuration |
1205 | @subsection Choosing servers |
1206 | |
1207 | Become notices that it's meant to send requests to a server if it finds a |
1208 | @file{become.server} file. This file contains entries of the form |
1209 | |
1210 | @example |
1211 | @var{host} [: @var{port}] |
1212 | @end example |
1213 | |
1214 | If the @var{port} is omitted, Become chooses a port by looking at the |
1215 | services database for a service which matches the name by which Become was |
1216 | invoked: normally this will be @samp{become}. |
1217 | |
1218 | Become sends a request to all of the servers and believes the first valid |
1219 | reply it receives. Since servers ignore requests they believe to be invalid, |
1220 | this enables you to change Become's key without disrupting service |
1221 | (@pxref{Issuing a new key}). |
1222 | |
1223 | If you're using NIS, you should try to ensure that Become servers runs only |
1224 | on NIS servers; the NIS master is probably a good choice. |
1225 | |
1226 | Become isn't particularly processor-intensive, and doesn't seem to require |
1227 | very much memory. |
1228 | |
1229 | |
1230 | @node Setting up keys, Random number files, Choosing servers, Networked configuration |
1231 | @subsection Setting up keys |
1232 | |
1233 | Communication between Become clients and the server is encrypted to ensure |
1234 | that it's not feasible to gain unauthorised privilege by subverting the |
1235 | network. Become uses simple symmetric cryptography -- it's not necessary to |
1236 | use complicated public key techniques in this case. |
1237 | |
1238 | Each client machine, and the server, must have a copy of the same key. The |
1239 | key is usually stored in @file{/etc/become/become.key}. Become's keys are |
1240 | 128 bits long. |
1241 | |
1242 | The key file can be generated using the @code{keygen} program, supplied. The |
1243 | command |
1244 | |
1245 | @example |
1246 | keygen --bits=128 --output=/etc/become/become.key |
1247 | @end example |
1248 | |
1249 | @noindent |
1250 | generates a 128-bit key and writes it to @file{/etc/become/become.key} in a |
1251 | format which Become can read. |
1252 | |
1253 | The @code{keygen} program works by measuring the time between keystrokes. It |
1254 | also tries to obtain some randomness from the environment, and mixes all of |
1255 | this noise together before it outputs the key file. |
1256 | |
1257 | Having generated a key, it must be distributed to all of the other hosts |
1258 | which will use this server. The author recommends using the @code{scp} |
1259 | program, distributed with the @code{SSH} (Secure Shell) package, for doing |
1260 | this. |
1261 | |
1262 | Being able to read a key file enables a user to assume root privileges. The |
1263 | author recommends that only the super-user be able to read key files. |
1264 | |
1265 | @menu |
1266 | * Invoking keygen:: How to use the @code{keygen} program |
1267 | @end menu |
1268 | |
1269 | |
1270 | @node Invoking keygen, , Setting up keys, Setting up keys |
1271 | @subsubsection Invoking @code{keygen} |
1272 | |
1273 | @example |
1274 | keygen [@var{option}@dots{}] |
1275 | @end example |
1276 | |
1277 | By default, @code{keygen} generates a 128-bit key, and writes it to standard |
1278 | output in a hexadecimal format. This behaviour can be modified by passing |
1279 | options: |
1280 | |
1281 | @table @code |
1282 | @item -h |
1283 | @itemx --help |
1284 | Write a summary of @code{keygen}'s usage instructions to standard output and |
1285 | exits. |
1286 | |
1287 | @item -b @var{bits} |
1288 | @itemx --bits=@var{bits} |
1289 | Generate a @var{bits}-bit key, instead of the default 128 bits. |
1290 | |
1291 | @item -o @var{file} |
1292 | @itemx --output=@var{file} |
1293 | Write the key to @var{file} instead of standard output. |
1294 | |
1295 | @item -f @var{format} |
1296 | @itemx --format=@var{format} |
1297 | Set the format in which @code{keygen} outputs the generated key. If the |
1298 | @var{format} is @samp{hex} (or @samp{tx}), the key is output in Become's |
1299 | hexadecimal format; @samp{binary} writes the key as a raw binary dump; and |
1300 | @samp{base64} writes the key using the Base64 encoding. |
1301 | @end table |
1302 | |
1303 | |
1304 | |
1305 | @node Random number files, Issuing a new key, Setting up keys, Networked configuration |
1306 | @subsection Random number files |
1307 | |
1308 | Become uses random numbers to generate session keys when it's communicating |
1309 | with a server. When it's finished, it stores the state of its random number |
1310 | generator in a file, usually @code{/etc/become/become.random}. If this file |
1311 | doesn't exist, Become creates it automatically, using noise collected from |
1312 | the environment. It's probably not worth your while creating randomness |
1313 | files by hand. |
1314 | |
1315 | |
1316 | @node Issuing a new key, , Random number files, Networked configuration |
1317 | @subsection Issuing a new key |
1318 | |
1319 | When you're sending out a new key, you run a risk of disrupting service. The |
1320 | server reads a new key; the clients still have the old one. |
1321 | |
1322 | The author's recommendation is to run two servers. Update the key on one. |
1323 | Then send the new key to all of the clients. Finally, update the key on the |
1324 | other server. Because of the way Become works, a client will always get a |
1325 | response from one of the servers, depending on whether the new key has |
1326 | reached it yet. |
1327 | |
1328 | A similar method is handy if Become's protocol ever changes. (This is quite |
1329 | likely at the moment. The current protocol doesn't include any version |
1330 | information, and the MAC isn't as good as it could be.) |
1331 | |
1332 | |
1333 | @c -------------------------------------------------------------------------- |
1334 | @node Invoking Become, , Administering Become, Top |
1335 | @chapter Invoking Become |
1336 | |
1337 | |
1338 | This chapter provides an exhaustive description of Become's command line |
1339 | options, organised in a reference-manual sort of way. |
1340 | |
1341 | @menu |
1342 | * Becoming another user:: Options for becoming another user |
1343 | * Starting Become daemons:: Options for starting Become daemons |
1344 | * Debugging options:: Options to use when Become goes wrong |
1345 | @end menu |
1346 | |
1347 | |
1348 | |
1349 | @node Becoming another user, Starting Become daemons, Invoking Become, Invoking Become |
1350 | @section Becoming another user |
1351 | |
1352 | @subsection Synopsis |
1353 | |
1354 | @example |
1355 | become [@var{option}@dots{}] [@var{env-var}@dots{}] @var{user} [@var{command} [@var{argument}@dots{}]] |
1356 | @end example |
1357 | |
1358 | Actually, you can put the @var{option}s, @var{env-var}s and @var{user} in any |
1359 | order you like; the important thing is that all of them appear before the |
1360 | command, if any. |
1361 | |
1362 | |
1363 | @subsection Usage |
1364 | |
1365 | The @var{option}s appropriate for this mode are as follows: |
1366 | |
1367 | @table @code |
1368 | @item -h |
1369 | @itemx --help |
1370 | Display a (fairly verbose) help message describing the various command line |
1371 | options and exits successfully. |
1372 | |
1373 | @item -u |
1374 | @itemx --usage |
1375 | Display a terse summary of the command line options and exits successfully. |
1376 | |
1377 | @item -v |
1378 | @itemx |
1379 | Display's Become's version number and exits successfully. |
1380 | |
1381 | @item -e |
1382 | @item --preserve-environment |
1383 | Selects the `preserve' login style (@pxref{The preserve style}). All |
1384 | environment variables are preserved. The default command is the current |
1385 | user's own shell. The default primary group becomes the current primary |
1386 | group; the default group style is set to `merge'. |
1387 | |
1388 | @item -s |
1389 | @itemx --su |
1390 | @itemx --set-user |
1391 | Selects the `set-user' login style (@pxref{The set-user style}). Most |
1392 | environment variables are preserved, but @code{USER}, @code{LOGNAME}, |
1393 | @code{HOME} and other user-specific variables are altered to reflect the |
1394 | target user's configuration. The default command is the target user's shell. |
1395 | The default primary group becomes the target user's primary group; the |
1396 | default group style is set to `merge'. |
1397 | |
1398 | @item -l |
1399 | @itemx --login |
1400 | Selects the `login' login style (@pxref{The login style}). The environment |
1401 | is cleared and rebuilt, in a similar way to the behaviour of @code{login}. |
1402 | The default command is the target user's shell. The default primary group |
1403 | becomes the target user's primary group; the default group style is set to |
1404 | `replace'. |
1405 | |
1406 | @item -g @var{group} |
1407 | @itemx --group=@var{group} |
1408 | Selects @var{group} as the primary group; it may be either a group name or a |
1409 | numeric group id. Note that @var{group} must be the primary group or |
1410 | a subsidiary group of either the current user or the target user. |
1411 | |
1412 | @item -k |
1413 | @itemx --keep-groups |
1414 | Selects the `keep' group style (@pxref{Subsidiary groups}). The current set |
1415 | of subsidiary group memberships are passed on unchanged. |
1416 | |
1417 | @item -m |
1418 | @itemx --merge-groups |
1419 | Selects the `merge' group style (@pxref{Subsidiary groups}). The current set |
1420 | of subsidiary group memberships are merged with the subsidiary groups of the |
1421 | target user. |
1422 | |
1423 | @item -r |
1424 | @itemx --replace-groups |
1425 | Selects the `replace' group style (@pxref{Subsidiary groups}). The target |
1426 | user's subsidiary group memberships are passed on; the current subsidiary |
1427 | groups are discarded. |
1428 | |
1429 | @item -c @var{shell-cmd} |
1430 | @itemx --command=@var{shell-cmd} |
1431 | Sets the @var{command} and @var{argument}s to invoke |
1432 | @code{/bin/sh -c @var{shell-cmd}}; i.e., to execute a Bourne shell command |
1433 | instead of just @code{exec}ing a program. Note that permissions are checked |
1434 | for executing the Bourne shell @code{/bin/sh}; the contents of the |
1435 | @var{shell-cmd} are not inspected. |
1436 | @end table |
1437 | |
1438 | The @var{env-var} arguments fine-tune the environment passed to the command. |
1439 | Each @var{env-var} setting must be one of the following: |
1440 | |
1441 | @table @code |
1442 | @item @var{var}=@var{value} |
1443 | Assign the variable named @var{var} the value @var{value}. Protect the |
1444 | variable @var{var} from modifications by the login style. |
1445 | |
1446 | @item @var{var}! |
1447 | Protect the variable @var{var} from modifications by the login style, but |
1448 | don't change its value. |
1449 | |
1450 | @item @var{var}- |
1451 | Remove the variable @var{var} from the environment; do not pass it on. |
1452 | @end table |
1453 | |
1454 | The @var{user} specifies the user as whom the @var{command} should be |
1455 | executed (i.e., the @dfn{target user}). It may be a user name or a numeric |
1456 | user id. |
1457 | |
1458 | The @var{command} specifies a command to execute. If @var{command} does not |
1459 | contain a path, it is looked for using the current @code{PATH} environment |
1460 | variable. The resulting pathname is canonified if necessary, to produce an |
1461 | absolute pathname. Note that symbolic links are @emph{not} resolved -- this |
1462 | prevents an attack whereby a user could invoke a program, passing it an |
1463 | unusual @code{argv[0]} which might cause unusual behaviour. |
1464 | |
1465 | The @var{command} name is used both as the command to execute and passed to |
1466 | the command as @code{argv[0]}. It is not possible to specify an alternative |
1467 | calue to be passed as @code{argv[0]}. Subsequent arguments, if supplied, are |
1468 | passed as @code{argv[1]} upwards. |
1469 | |
1470 | If no @var{command} is given, a shell is invoked; the particulars of the |
1471 | shell are determined by the login style (see above). |
1472 | |
1473 | The @var{command} is executed as follows: |
1474 | |
1475 | @itemize @bullet |
1476 | @item |
1477 | The subsidiary groups are chosen as determined by the group style. |
1478 | @item |
1479 | The real and effective gids are set. |
1480 | @item |
1481 | The real and effective uids are set. |
1482 | @item |
1483 | The @var{command} is called using the standard @code{execve} system call. |
1484 | @end itemize |
1485 | |
1486 | |
1487 | |
1488 | @node Starting Become daemons, Debugging options, Becoming another user, Invoking Become |
1489 | @section Starting Become daemons |
1490 | |
1491 | @subsection Synopsis |
1492 | |
1493 | @example |
1494 | become --daemon [@var{option}@dots{}] |
1495 | @end example |
1496 | |
1497 | |
1498 | @subsection Usage |
1499 | |
1500 | The following options are appropriate to this mode: |
1501 | |
1502 | @table @code |
1503 | @item -h |
1504 | @itemx --help |
1505 | Display a (fairly verbose) help message describing the various command line |
1506 | options and exits successfully. |
1507 | |
1508 | @item -u |
1509 | @itemx --usage |
1510 | Display a terse summary of the command line options and exits successfully. |
1511 | |
1512 | @item -v |
1513 | @itemx |
1514 | Display's Become's version number and exits successfully. |
1515 | |
1516 | @item -d |
1517 | @itemx --daemon |
1518 | Start a Become server, instead of processing a request. Become will read its |
1519 | command line options, read in the configuration file (and verify that it's |
1520 | correct) and then fork into the background to wait for incoming requests. |
1521 | Become relinquishes all setuid privileges (by setting all uids to the real |
1522 | uid) when it enters daemon mode. It is therefore only really useful to run a |
1523 | daemon as the superuser. |
1524 | |
1525 | @item -p @var{port} |
1526 | @itemx --port=@var{port} |
1527 | Listen for requests on @var{port}. This option is overridden by the |
1528 | @code{port} option in the configuration file. |
1529 | |
1530 | @item -f @var{file} |
1531 | @itemx --config-file=@var{file} |
1532 | Read configuration from @var{file}, instead of the default (usually |
1533 | @file{/etc/become/become.conf}). |
1534 | @end table |
1535 | |
1536 | The syntax of the configuration file is described in @ref{The configuration |
1537 | file}. |
1538 | |
1539 | |
1540 | @node Debugging options, , Starting Become daemons, Invoking Become |
1541 | @section Debugging options |
1542 | |
1543 | Some options are only useful when trying to find out why Become is |
1544 | misbehaving. Of course, this never happens, so here are the options which |
1545 | you won't need to use: |
1546 | |
1547 | @table @code |
1548 | @item -T[@var{file}] |
1549 | @itemx --trace[=@var{file}] |
1550 | Write trace information to @var{file} (or to standard output, if no |
1551 | @var{file} is specified). You must be able to create the file and open it |
1552 | for writing. |
1553 | |
1554 | @item -L[@var{feature}...] |
1555 | @itemx --trace-level[=@var{feature}] |
1556 | Selects which features Become ought to trace. Each feature is allocated a |
1557 | letter; simply string together the letters for the features you want to |
1558 | debug. The letters @samp{D} and @samp{A} stand respectively for `default' |
1559 | and `all' features; you can subtract from them by saying, for example, |
1560 | @samp{A-xyz} to select all features except @samp{x}, @samp{y} and @samp{z}. |
1561 | The exact list of features supported at any one time can be listed by giving |
1562 | the @code{--trace-level} option without an argument. |
1563 | |
1564 | @item -I @var{user} |
1565 | @itemx --impersonate=@var{user} |
1566 | Pretend to be @var{user} instead of yourself when the request is checked. |
1567 | This option can only be used if it wasn't disabled at compile-time and if |
1568 | Become is not running setuid. Even so, Become will only inform you of the |
1569 | outcome; it will not execute any commands. |
1570 | @end table |
1571 | |
1572 | |
1573 | |
1574 | @c -------------------------------------------------------------------------- |
1575 | |
1576 | @c --- No index yet --- |
1577 | @c |
1578 | @c @node Concept index, , Invoking Become, Top |
1579 | @c @unnumbered Concept index |
1580 | @c @printindex cp |
1581 | @c |
1582 | @c @contents |
1583 | |
1584 | @bye |
1585 | |
1586 | @c ----- That's all, folks -------------------------------------------------- |