1KSU(1)                      General Commands Manual                     KSU(1)
2
3
4

NAME

6       ksu - Kerberized super-user
7

SYNOPSIS

9       ksu [ target_user ] [ -n target_principal_name ] [ -c source_cache_name
10       ] [ -k ] [ -D ] [ -r time ] [ -pf ] [ -l lifetime ] [ -zZ ] [ -q ] [ -e
11       command [ args ...  ] ] [ -a [ args ...  ] ]
12

REQUIREMENTS

14       Must  have  Kerberos  version  5 installed to compile ksu.  Must have a
15       Kerberos version 5 server running to use ksu.
16

DESCRIPTION

18       ksu is a Kerberized version of the su program that  has  two  missions:
19       one is to securely change the real and effective user ID to that of the
20       target user, and the other is to create a new  security  context.   For
21       the  sake  of  clarity,  all  references  to and attributes of the user
22       invoking the program will  start  with  'source'  (e.g.   source  user,
23       source cache, etc.).  Likewise, all references to and attributes of the
24       target account will start with 'target'.
25

AUTHENTICATION

27       To fulfill the first mission, ksu operates in two  phases:  authentica‐
28       tion  and  authorization.   Resolving  the target principal name is the
29       first step in authentication.  The user can either specify his  princi‐
30       pal  name  with  the -n option (e.g.  -n jqpublic@USC.EDU) or a default
31       principal name will be assigned using  a  heuristic  described  in  the
32       OPTIONS  section  (see  -n  option).   The target user name must be the
33       first argument to ksu; if not specified root is the default.  If '.' is
34       specified  then  the  target user will be the source user (e.g. ksu .).
35       If the source user is root or the target user is the  source  user,  no
36       authentication  or authorization takes place.  Otherwise, ksu looks for
37       an appropriate Kerberos ticket in the source cache.
38
39       The ticket can either be for the end-server or a ticket granting ticket
40       (TGT)  for  the  target  principal's realm.  If the ticket for the end-
41       server is already in the cache, it's decrypted and verified.   If  it's
42       not  in  the cache but the TGT is, the TGT is used to obtain the ticket
43       for the end-server.   The end-server ticket is then verified.  If  nei‐
44       ther   ticket   is   in  the  cache,  but  ksu  is  compiled  with  the
45       GET_TGT_VIA_PASSWD define, the user will be  prompted  for  a  Kerberos
46       password  which  will then be used to get a TGT.  If the user is logged
47       in remotely and does not have a secure channel,  the  password  may  be
48       exposed.   If  neither ticket is in the cache and GET_TGT_VIA_PASSWD is
49       not defined, authentication fails.
50

AUTHORIZATION

52       This section describes authorization of the source  user  when  ksu  is
53       invoked without the -e option.  For a description of the -e option, see
54       the OPTIONS section.
55
56       Upon successful authentication, ksu checks whether the target principal
57       is  authorized to access the target account.  In the target user's home
58       directory, ksu attempts to access two authorization files: .k5login and
59       .k5users.   In the .k5login file each line contains the name of a prin‐
60       cipal that is authorized to access the account.
61
62       For example:
63                   jqpublic@USC.EDU
64                   jqpublic/secure@USC.EDU
65                   jqpublic/admin@USC.EDU
66
67       The format of .k5users is the same, except the principal  name  may  be
68       followed by a list of commands that the principal is authorized to exe‐
69       cute. (see the -e option in the OPTIONS section for details).
70
71       Thus if the target principal name is found in  the  .k5login  file  the
72       source  user  is authorized to access the target account. Otherwise ksu
73       looks in the .k5users file.  If the  target  principal  name  is  found
74       without  any  trailing commands or followed only by '*' then the source
75       user is authorized.  If either .k5login or .k5users exist but an appro‐
76       priate  entry  for  the  target principal does not exist then access is
77       denied. If neither file exists  then  the  principal  will  be  granted
78       access  to the account according to the aname->lname mapping rules (see
79       krb5_anadd(8) for more details).  Otherwise, authorization fails.
80

EXECUTION OF THE TARGET SHELL

82       Upon successful authentication and authorization,  ksu  proceeds  in  a
83       similar  fashion  to su.  The environment is unmodified with the excep‐
84       tion of USER, HOME and SHELL variables.  If  the  target  user  is  not
85       root,  USER  gets  set  to the target user name. Otherwise USER remains
86       unchanged. Both HOME and SHELL are set to the  target  login's  default
87       values.   In  addition, the environment variable KRB5CCNAME gets set to
88       the name of the target cache.  The  real  and  effective  user  ID  are
89       changed  to  that  of the target user.  The target user's shell is then
90       invoked (the shell name is specified in the password file).  Upon  ter‐
91       mination  of  the  shell,  ksu  deletes the target cache (unless ksu is
92       invoked with the -k option).  This is implemented by first doing a fork
93       and then an exec, instead of just exec, as done by su.
94

CREATING A NEW SECURITY CONTEXT

96       Ksu can be used to create a new security context for the target program
97       (either the target shell, or command specified via the -e option).  The
98       target  program inherits a set of credentials from the source user.  By
99       default, this set includes all of the credentials in the  source  cache
100       plus  any  additional  credentials obtained during authentication.  The
101       source user is able to limit the credentials in this set by using -z or
102       -Z  option.   -z restricts the copy of tickets from the source cache to
103       the target cache to only the tickets where client == the target princi‐
104       pal  name.   The -Z option provides the target user with a fresh target
105       cache (no creds in the cache). Note that for security reasons, when the
106       source  user  is  root  and  target  user is non-root, -z option is the
107       default mode of operation.
108
109       While no authentication takes place if the source user is  root  or  is
110       the  same  as the target user, additional tickets can still be obtained
111       for the target cache.  If -n is specified and  no  credentials  can  be
112       copied  to  the  target cache,  the  source user is prompted for a Ker‐
113       beros password (unless -Z  specified  or  GET_TGT_VIA_PASSWD  is  unde‐
114       fined). If successful,  a  TGT is obtained from the Kerberos server and
115       stored in the target cache.  Otherwise, if a password is  not  provided
116       (user hit return) ksu continues  in  a normal  mode  of  operation (the
117       target cache will not contain the desired TGT).  If the wrong  password
118       is typed in, ksu fails.
119
120       Side  Note:  during  authentication,  only  the  tickets  that could be
121       obtained without providing a password  are  cached  in  in  the  source
122       cache.
123

OPTIONS

125       -n target_principal_name
126                 Specify  a Kerberos target principal name.  Used in authenti‐
127                 cation and authorization phases of ksu.
128
129                 If ksu is invoked without -n, a  default  principal  name  is
130                 assigned via the following heuristic:
131
132                 Case 1: source user is non-root.
133                 If  the  target user is the source user the default principal
134                 name is set to the default principal of the source cache.  If
135                 the  cache  does not exist then the default principal name is
136                 set to target_user@local_realm.  If  the  source  and  target
137                 users  are  different  and  neither ~target_user/.k5users nor
138                 ~target_user/.k5login exist then the default  principal  name
139                 is  target_user_login_name@local_realm.  Otherwise,  starting
140                 with the first principal listed  below,  ksu  checks  if  the
141                 principal  is  authorized  to   access the target account and
142                 whether there is a legitimate ticket for  that  principal  in
143                 the  source  cache. If both conditions are met that principal
144                 becomes the default target principal,  otherwise  go  to  the
145                 next principal.
146
147                 a) default principal of the source cache
148                 b) target_user@local_realm
149                 c) source_user@local_realm
150
151                 If a-c fails try any principal for which there is a ticket in
152                 the source cache and that is authorized to access the  target
153                 account.   If  that  fails select the first principal that is
154                 authorized to access the target account from the above  list.
155                 If   none   are   authorized   and  ksu  is  configured  with
156                 PRINC_LOOK_AHEAD turned on, select the default  principal  as
157                 follows:
158
159                 For  each  candidate  in the above list, select an authorized
160                 principal that has the same realm name and first part of  the
161                 principal  name  equal  to  the prefix of the candidate.  For
162                 example  if  candidate  a)  is  jqpublic@ISI.EDU  and  jqpub‐
163                 lic/secure@ISI.EDU is authorized to access the target account
164                 then the default principal is set to jqpublic/secure@ISI.EDU.
165
166                 Case 2: source user is root.
167                 If the target user is non-root  then  the  default  principal
168                 name  is  target_user@local_realm.  Else, if the source cache
169                 exists the default principal name is set to the default prin‐
170                 cipal  of  the  source  cache.  If  the source cache does not
171                 exist, default principal name is set to root@local_realm.
172
173       -c source_cache_name
174                 Specify source cache name (e.g.  -c FILE:/tmp/my_cache).   If
175                 -c  option  is  not  used  then  the  name  is  obtained from
176                 KRB5CCNAME  environment  variable.   If  KRB5CCNAME  is   not
177                 defined  the source cache name is set to krb5cc_<source uid>.
178                 The target cache name is automatically set to  krb5cc_<target
179                 uid>.(gen_sym()),  where  gen_sym generates a new number such
180                 that the resulting cache does not already exist.
181                 For example: krb5cc_1984.2
182
183       -k        Do not delete the target cache upon termination of the target
184                 shell  or  a  command ( -e command).  Without -k, ksu deletes
185                 the target cache.
186
187       -D        turn on debug mode.
188
189       Ticket granting ticket options: -l lifetime -r time -pf
190                 The ticket granting ticket options only  apply  to  the  case
191                 where  there  are  no  appropriate  tickets  in  the cache to
192                 authenticate the source user. In this case if ksu is  config‐
193                 ured    to    prompt    users   for   a   Kerberos   password
194                 (GET_TGT_VIA_PASSWD is defined), the ticket  granting  ticket
195                 options that are specified will be used when getting a ticket
196                 granting ticket from the Kerberos server.
197
198       -l lifetime
199                 option specifies the lifetime to be requested for the ticket;
200                 if this option is not specified, the  default ticket lifetime
201                 (configured by each site) is used instead.
202
203       -r time   option  specifies  that  the   RENEWABLE   option  should  be
204                 requested  for  the  ticket,  and specifies the desired total
205                 lifetime of the ticket.
206
207       -p        option  specifies  that  the  PROXIABLE  option  should    be
208                 requested for the ticket.
209
210       -f        option  specifies  that  the  FORWARDABLE   option  should be
211                 requested for the ticket.
212
213       -z        restrict the copy of tickets from the  source  cache  to  the
214                 target  cache  to only the tickets where client == the target
215                 principal name. Use the -n option if you want the tickets for
216                 other  then the default principal. Note that the -z option is
217                 mutually exclusive with the -Z option.
218
219       -Z        Don't copy any tickets from the source cache  to  the  target
220                 cache.  Just  create  a fresh target cache, where the default
221                 principal name of the cache  is  initialized  to  the  target
222                 principal  name.   Note  that -Z option is mutually exclusive
223                 with the -z option.
224
225       -q        suppress the printing of status messages.
226
227       -e command [args ...]
228                 ksu proceeds exactly the same as if it  was  invoked  without
229                 the  -e option, except instead of executing the target shell,
230                 ksu executes the specified command (Example of usage: ksu bob
231                 -e ls -lag).
232
233                 The authorization algorithm for -e is as follows:
234
235                 If  the source user is root or source user == target user, no
236                 authorization takes place and the command  is  executed.   If
237                 source  user id != 0, and ~target_user/.k5users file does not
238                 exist, authorization fails.  Otherwise, ~target_user/.k5users
239                 file  must  have an appropriate entry for target principal to
240                 get authorized.
241
242                 The .k5users file format:
243
244                 A single principal entry on each line that may be followed by
245                 a  list  of commands that the principal is authorized to exe‐
246                 cute.  A principal name followed by a '*' means that the user
247                 is  authorized to execute any command. Thus, in the following
248                 example:
249
250                 jqpublic@USC.EDU ls mail /local/kerberos/klist
251                 jqpublic/secure@USC.EDU *
252                 jqpublic/admin@USC.EDU
253
254                 jqpublic@USC.EDU is only authorized to execute ls,  mail  and
255                 klist commands. jqpublic/secure@USC.EDU is authorized to exe‐
256                 cute any command. jqpublic/admin@USC.EDU is not authorized to
257                 execute  any  command.   Note, that jqpublic/admin@USC.EDU is
258                 authorized to execute the target shell (regular ksu,  without
259                 the -e option) but jqpublic@USC.EDU is not.
260
261                 The commands listed after the principal name must be either a
262                 full path names or just the  program  name.   In  the  second
263                 case, CMD_PATH specifying the location of authorized programs
264                 must be defined at the compilation time of ksu.
265
266                 Which command gets executed ?
267
268                 If the source user is root or the target user is  the  source
269                 user  or  the  user is authorized to execute any command ('*'
270                 entry) then command can be either a full or a  relative  path
271                 leading  to  the  target  program.   Otherwise, the user must
272                 specify either a full path or just the program name.
273
274       -a args   specify arguments to be passed to the  target  shell.   Note:
275                 that  all flags and parameters following -a will be passed to
276                 the shell, thus all options intended for ksu must precede -a.
277                 The  -a  option can be used to simulate the -e option if used
278                 as follows: -a -c [command [arguments]].  -c  is  interpreted
279                 by the c-shell to execute the command.
280

INSTALLATION INSTRUCTIONS

282       ksu can be compiled with the following 4 flags (see the Imakefile):
283
284       GET_TGT_VIA_PASSWD
285                 in case no appropriate tickets are found in the source cache,
286                 the user will be prompted for a Kerberos password.  The pass‐
287                 word  is  then  used to get a ticket granting ticket from the
288                 Kerberos server.  The danger of  configuring  ksu  with  this
289                 macro  is  if  the source user is logged in remotely and does
290                 not have a secure channel, the password may get exposed.
291
292       PRINC_LOOK_AHEAD
293                 during  the  resolution  of  the  default   principal   name,
294                 PRINC_LOOK_AHEAD  enables  ksu to find principal names in the
295                 .k5users file as described in the  OPTIONS  section  (see  -n
296                 option).
297
298       CMD_PATH  specifies  a  list  of  directories  containing programs that
299                 users are authorized to execute (via .k5users file).
300
301       HAS_GETUSERSHELL
302                 If the source user is non-root, ksu insists that  the  target
303                 user's  shell  to  be  invoked  is  a "legal shell". getuser‐
304                 shell(3) is called to obtain the  names  of  "legal  shells".
305                 Note that the target user's shell is obtained from the passwd
306                 file.
307
308       SAMPLE CONFIGURATION:
309                 KSU_OPTS    =     -DGET_TGT_VIA_PASSWD     -DPRINC_LOOK_AHEAD
310                 -DCMD_PATH='"/bin /usr/ucb /local/bin"
311
312       PERMISSIONS FOR KSU
313                 ksu  should  be  owned  by root and have the set user id  bit
314                 turned on.
315
316       END-SERVER ENTRY
317
318                 ksu attempts to get a ticket for the end server just as  Ker‐
319                 berized  telnet and rlogin.  Thus, there must be an entry for
320                 the    server    in    the    Kerberos     database     (e.g.
321                 host/nii.isi.edu@ISI.EDU).   The  keytab  file  must be in an
322                 appropriate location.
323
324

SIDE EFFECTS

326       ksu deletes all expired tickets from the source cache.
327

AUTHOR OF KSU: GENNADY (ARI) MEDVINSKY

329                                                                        KSU(1)
Impressum