From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: mtk.manpages@gmail.com, Karel Zak <kzak@redhat.com>
Cc: util-linux@vger.kernel.org
Subject: [PATCH 1/3] Manual pages: runuser.1: Various wording and formatting fixes
Date: Fri, 12 Jun 2020 13:19:31 +0200 [thread overview]
Message-ID: <20200612111933.3043314-1-mtk.manpages@gmail.com> (raw)
Most of this is pretty straightforward English language fix-ups
and formatting fix-ups, so I've rolled it into one patch.
Signed-off-by: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>
---
login-utils/runuser.1 | 70 +++++++++++++++++++++----------------------
1 file changed, 35 insertions(+), 35 deletions(-)
diff --git a/login-utils/runuser.1 b/login-utils/runuser.1
index 7bcbbde12..8d38dd7de 100644
--- a/login-utils/runuser.1
+++ b/login-utils/runuser.1
@@ -10,7 +10,7 @@ runuser \- run a command with substitute user and group ID
.RI [ user " [" argument "...]]"
.SH DESCRIPTION
.B runuser
-allows to run commands with a substitute user and group ID.
+can be used to to run commands with a substitute user and group ID.
If the option \fB\-u\fR is not given, it falls back to
.BR su -compatible
semantics and a shell is executed.
@@ -26,7 +26,8 @@ The command
.B runuser
does not have to be installed with set-user-ID permissions.
.PP
-If the PAM session is not required then recommended solution is to use
+If the PAM session is not required,
+then the recommended solution is to use the
.BR setpriv (1)
command.
.PP
@@ -37,7 +38,7 @@ defaults to running an interactive shell as
.PP
For backward compatibility,
.B runuser
-defaults to not change the current directory and to only set the
+defaults to not changing the current directory and to setting only the
environment variables
.B HOME
and
@@ -55,8 +56,10 @@ uses PAM for session management.
.PP
Note that
.B runuser
-in all cases use PAM (pam_getenvlist()) to do final environment modification. The command line options
-like \fB\-\-login\fR or \fB\-\-preserve\-environment\fR affect environment before it's modified by PAM.
+in all cases use PAM (pam_getenvlist()) to do final environment modification.
+Command-line options
+such as \fB\-\-login\fR or \fB\-\-preserve\-environment\fR affect
+the environment before it is modified by PAM.
.SH OPTIONS
.TP
.BR \-c , " \-\-command" = \fIcommand
@@ -76,48 +79,48 @@ shell.
The primary group to be used. This option is allowed for the root user only.
.TP
.BR \-G , " \-\-supp\-group" = \fIgroup
-Specify a supplemental group. This option is available to the root user only. The first specified
-supplementary group is also used as a primary group if the option \fB\-\-group\fR is unspecified.
+Specify a supplementary group.
+This option is available to the root user only. The first specified
+supplementary group is also used as a primary group
+if the option \fB\-\-group\fR is not specified.
.TP
.BR \- , " \-l" , " \-\-login"
Start the shell as a login shell with an environment similar to a real
login:
-.RS 10
-.TP
-o
+.RS
+.IP * 2
clears all the environment variables except for
.B TERM
and variables specified by \fB\-\-whitelist\-environment\fR
-.TP
-o
+.IP *
initializes the environment variables
.BR HOME ,
.BR SHELL ,
.BR USER ,
.BR LOGNAME ,
.B PATH
-.TP
-o
+.IP *
changes to the target user's home directory
-.TP
-o
+.IP *
sets argv[0] of the shell to
.RB ' \- '
in order to make the shell a login shell
.RE
.TP
.BR \-P , " \-\-pty"
-Create pseudo-terminal for the session. The independent terminal provides
-better security as user does not share terminal with the original
-session. This allow to avoid TIOCSTI ioctl terminal injection and other
-security attacks against terminal file descriptors. The all session is also
-possible to move to background (e.g., "runuser \-\-pty \-u username \-\- command &").
+Create a pseudo-terminal for the session. The independent terminal provides
+better security as user does not share a terminal with the original
+session.
+This permits the avoidance of TIOCSTI ioctl terminal injection and other
+security attacks against terminal file descriptors. The entire session can also
+be moved to background (e.g., "runuser \-\-pty \-u username \-\- command &").
If the pseudo-terminal is enabled then runuser command works
as a proxy between the sessions (copy stdin and stdout).
.sp
This feature is mostly designed for interactive sessions. If the standard input
-is not a terminal, but for example pipe (e.g., echo "date" | runuser \-\-pty \-u user)
-than ECHO flag for the pseudo-terminal is disabled to avoid messy output.
+is not a terminal,
+but for example a pipe (e.g., echo "date" | runuser \-\-pty \-u user),
+then the ECHO flag for the pseudo-terminal is disabled to avoid messy output.
.TP
.BR \-m , " \-p" , " \-\-preserve\-environment"
Preserve the entire environment, i.e., it does not set
@@ -131,28 +134,24 @@ The option is ignored if the option \fB\-\-login\fR is specified.
.BR \-s , " \-\-shell" = \fIshell
Run the specified \fIshell\fR instead of the default. The shell to run is
selected according to the following rules, in order:
-.RS 10
-.TP
-o
+.RS
+.IP * 2
the shell specified with
.B \-\-shell
-.TP
-o
+.IP *
the shell specified in the environment variable
.B SHELL
if the
.B \-\-preserve\-environment
option is used
-.TP
-o
+.IP *
the shell listed in the passwd entry of the target user
-.TP
-o
+.IP *
/bin/sh
.RE
.IP
If the target user has a restricted shell (i.e., not listed in
-/etc/shells) the
+/etc/shells), then the
.B \-\-shell
option and the
.B SHELL
@@ -160,11 +159,12 @@ environment variables are ignored unless the calling user is root.
.TP
.BI \-\-session\-command= command
Same as
-.B \-c ,
+.BR \-c ,
but do not create a new session. (Discouraged.)
.TP
.BR \-w , " \-\-whitelist\-environment" = \fIlist
-Don't reset environment variables specified in comma separated \fIlist\fR when clears
+Don't reset the environment variables specified in the
+comma-separated \fIlist\fR when clearing the
environment for \fB\-\-login\fR. The whitelist is ignored for the environment variables
.BR HOME ,
.BR SHELL ,
--
2.26.2
next reply other threads:[~2020-06-12 11:19 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-12 11:19 Michael Kerrisk (man-pages) [this message]
2020-06-12 11:19 ` [PATCH 2/3] Manual pages: setpriv.1: Various minor wording and formatting fixes Michael Kerrisk (man-pages)
2020-06-12 11:19 ` [PATCH 3/3] Manual pages: setpriv.1: warn users of restrictions on capability changes Michael Kerrisk (man-pages)
2020-06-15 9:37 ` [PATCH 1/3] Manual pages: runuser.1: Various wording and formatting fixes Karel Zak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200612111933.3043314-1-mtk.manpages@gmail.com \
--to=mtk.manpages@gmail.com \
--cc=kzak@redhat.com \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).