NAME¶ksu - Kerberized super-user
SYNOPSIS¶ksu [ target_user ] [ -n target_principal_name ] [ -c source_cache_name ] [ -k ] [ -r time ] [ -pf ] [ -l lifetime ] [ -z | Z ] [ -q ] [ -e command [ args ... ] ] [ -a [ args ... ] ]
REQUIREMENTS¶Must have Kerberos version 5 installed to compile ksu. Must have a Kerberos version 5 server running to use ksu.
DESCRIPTION¶ksu is a Kerberized version of the su program that has two missions: one is to securely change the real and effective user ID to that of the target user, and the other is to create a new security context.
For the sake of clarity, all references to and attributes of the user invoking the program will start with "source" (e.g., "source user", "source cache", etc.).Likewise, all references to and attributes of the target account will start with "target".
AUTHENTICATION¶To fulfill the first mission, ksu operates in two phases: authentication and authorization. Resolving the target principal name is the first step in authentication. The user can either specify his principal name with the -n option (e.g., -n jqpublic@USC.EDU) or a default principal name will be assigned using a heuristic described in the OPTIONS section (see -n option). The target user name must be the first argument to ksu; if not specified root is the default. If . is specified then the target user will be the source user (e.g., ksu .). If the source user is root or the target user is the source user, no authentication or authorization takes place. Otherwise, ksu looks for an appropriate Kerberos ticket in the source cache.
AUTHORIZATION¶This section describes authorization of the source user when ksu is invoked without the -e option. For a description of the -e option, see the OPTIONS section.
jqpublic@USC.EDU jqpublic/secure@USC.EDU jqpublic/admin@USC.EDU
EXECUTION OF THE TARGET SHELL¶Upon successful authentication and authorization, ksu proceeds in a similar fashion to su. The environment is unmodified with the exception of USER, HOME and SHELL variables. If the target user is not root, USER gets set to the target user name. Otherwise USER remains unchanged. Both HOME and SHELL are set to the target login's default values. In addition, the environment variable KRB5CCNAME gets set to the name of the target cache. The real and effective user ID are changed to that of the target user. The target user's shell is then invoked (the shell name is specified in the password file). Upon termination of the shell, ksu deletes the target cache (unless ksu is invoked with the -k option). This is implemented by first doing a fork and then an exec, instead of just exec, as done by su.
CREATING A NEW SECURITY CONTEXT¶ksu can be used to create a new security context for the target program (either the target shell, or command specified via the -e option). The target program inherits a set of credentials from the source user. By default, this set includes all of the credentials in the source cache plus any additional credentials obtained during authentication. The source user is able to limit the credentials in this set by using -z or -Z option. -z restricts the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. The -Z option provides the target user with a fresh target cache (no creds in the cache). Note that for security reasons, when the source user is root and target user is non-root, -z option is the default mode of operation.
During authentication, only the tickets that could be obtained without providing a password are cached in in the source cache.
- -n target_principal_name
- Specify a Kerberos target principal name. Used in
authentication and authorization phases of ksu.
- Case 1: source user is non-root.
- default principal of the source cache
- Case 2: source user is root.
Specify source cache name (e.g., -c FILE:/tmp/my_cache). If -c option is not used then the name is obtained from KRB5CCNAME environment variable. If KRB5CCNAME is not defined the source cache name is set to krb5cc_<source uid>. The target cache name is automatically set to krb5cc_<target uid>.(gen_sym()), where gen_sym generates a new number such that the resulting cache does not already exist. For example:
- Do not delete the target cache upon termination of the target shell or a command ( -e command). Without -k, ksu deletes the target cache.
- Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. Use the -n option if you want the tickets for other then the default principal. Note that the -z option is mutually exclusive with the -Z option.
- Don't copy any tickets from the source cache to the target cache. Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name. Note that the -Z option is mutually exclusive with the -z option.
- Suppress the printing of status messages.
- -l lifetime -r time -pf
- The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate the source user. In this case if ksu is configured to prompt users for a Kerberos password ( GET_TGT_VIA_PASSWD is defined), the ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos server.
- -l lifetime
- (duration string.) Specifies the lifetime to be requested for the ticket; if this option is not specified, the default ticket lifetime (12 hours) is used instead.
- -r time
- (duration string.) Specifies that the renewable option should be requested for the ticket, and specifies the desired total lifetime of the ticket.
- specifies that the proxiable option should be requested for the ticket.
- option specifies that the forwardable option should be requested for the ticket.
- -e command [args ...]
- ksu proceeds exactly the same as if it was invoked without the -e option, except instead of executing the target shell, ksu executes the specified command. Example of usage:
ksu bob -e ls -lag
jqpublic@USC.EDU ls mail /local/kerberos/klist jqpublic/secure@USC.EDU * jqpublic/admin@USC.EDU
- -a args
- Specify arguments to be passed to the target shell. Note
that all flags and parameters following -a will be passed to the shell,
thus all options intended for ksu must precede -a.
-a -c [command [arguments]].
INSTALLATION INSTRUCTIONS¶ksu can be compiled with the following four flags:
- In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos server. The danger of configuring ksu with this macro is if the source user is logged in remotely and does not have a secure channel, the password may get exposed.
- During the resolution of the default principal name, PRINC_LOOK_AHEAD enables ksu to find principal names in the .k5users file as described in the OPTIONS section (see -n option).
- Specifies a list of directories containing programs that users are authorized to execute (via .k5users file).
- If the source user is non-root, ksu insists that the target user's shell to be invoked is a "legal shell". getusershell(3) is called to obtain the names of "legal shells". Note that the target user's shell is obtained from the passwd file.
KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin"
SIDE EFFECTS¶ksu deletes all expired tickets from the source cache.
AUTHOR OF KSU¶GENNADY (ARI) MEDVINSKY