* [PATCH 1/3] Manual pages: runuser.1: Various wording and formatting fixes
@ 2020-06-12 11:19 Michael Kerrisk (man-pages)
2020-06-12 11:19 ` [PATCH 2/3] Manual pages: setpriv.1: Various minor " Michael Kerrisk (man-pages)
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Michael Kerrisk (man-pages) @ 2020-06-12 11:19 UTC (permalink / raw)
To: mtk.manpages, Karel Zak; +Cc: util-linux
Most of this is pretty straightforward English language fix-ups
and formatting fix-ups, so I've rolled it into one patch.
Signed-off-by: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>
---
login-utils/runuser.1 | 70 +++++++++++++++++++++----------------------
1 file changed, 35 insertions(+), 35 deletions(-)
diff --git a/login-utils/runuser.1 b/login-utils/runuser.1
index 7bcbbde12..8d38dd7de 100644
--- a/login-utils/runuser.1
+++ b/login-utils/runuser.1
@@ -10,7 +10,7 @@ runuser \- run a command with substitute user and group ID
.RI [ user " [" argument "...]]"
.SH DESCRIPTION
.B runuser
-allows to run commands with a substitute user and group ID.
+can be used to to run commands with a substitute user and group ID.
If the option \fB\-u\fR is not given, it falls back to
.BR su -compatible
semantics and a shell is executed.
@@ -26,7 +26,8 @@ The command
.B runuser
does not have to be installed with set-user-ID permissions.
.PP
-If the PAM session is not required then recommended solution is to use
+If the PAM session is not required,
+then the recommended solution is to use the
.BR setpriv (1)
command.
.PP
@@ -37,7 +38,7 @@ defaults to running an interactive shell as
.PP
For backward compatibility,
.B runuser
-defaults to not change the current directory and to only set the
+defaults to not changing the current directory and to setting only the
environment variables
.B HOME
and
@@ -55,8 +56,10 @@ uses PAM for session management.
.PP
Note that
.B runuser
-in all cases use PAM (pam_getenvlist()) to do final environment modification. The command line options
-like \fB\-\-login\fR or \fB\-\-preserve\-environment\fR affect environment before it's modified by PAM.
+in all cases use PAM (pam_getenvlist()) to do final environment modification.
+Command-line options
+such as \fB\-\-login\fR or \fB\-\-preserve\-environment\fR affect
+the environment before it is modified by PAM.
.SH OPTIONS
.TP
.BR \-c , " \-\-command" = \fIcommand
@@ -76,48 +79,48 @@ shell.
The primary group to be used. This option is allowed for the root user only.
.TP
.BR \-G , " \-\-supp\-group" = \fIgroup
-Specify a supplemental group. This option is available to the root user only. The first specified
-supplementary group is also used as a primary group if the option \fB\-\-group\fR is unspecified.
+Specify a supplementary group.
+This option is available to the root user only. The first specified
+supplementary group is also used as a primary group
+if the option \fB\-\-group\fR is not specified.
.TP
.BR \- , " \-l" , " \-\-login"
Start the shell as a login shell with an environment similar to a real
login:
-.RS 10
-.TP
-o
+.RS
+.IP * 2
clears all the environment variables except for
.B TERM
and variables specified by \fB\-\-whitelist\-environment\fR
-.TP
-o
+.IP *
initializes the environment variables
.BR HOME ,
.BR SHELL ,
.BR USER ,
.BR LOGNAME ,
.B PATH
-.TP
-o
+.IP *
changes to the target user's home directory
-.TP
-o
+.IP *
sets argv[0] of the shell to
.RB ' \- '
in order to make the shell a login shell
.RE
.TP
.BR \-P , " \-\-pty"
-Create pseudo-terminal for the session. The independent terminal provides
-better security as user does not share terminal with the original
-session. This allow to avoid TIOCSTI ioctl terminal injection and other
-security attacks against terminal file descriptors. The all session is also
-possible to move to background (e.g., "runuser \-\-pty \-u username \-\- command &").
+Create a pseudo-terminal for the session. The independent terminal provides
+better security as user does not share a terminal with the original
+session.
+This permits the avoidance of TIOCSTI ioctl terminal injection and other
+security attacks against terminal file descriptors. The entire session can also
+be moved to background (e.g., "runuser \-\-pty \-u username \-\- command &").
If the pseudo-terminal is enabled then runuser command works
as a proxy between the sessions (copy stdin and stdout).
.sp
This feature is mostly designed for interactive sessions. If the standard input
-is not a terminal, but for example pipe (e.g., echo "date" | runuser \-\-pty \-u user)
-than ECHO flag for the pseudo-terminal is disabled to avoid messy output.
+is not a terminal,
+but for example a pipe (e.g., echo "date" | runuser \-\-pty \-u user),
+then the ECHO flag for the pseudo-terminal is disabled to avoid messy output.
.TP
.BR \-m , " \-p" , " \-\-preserve\-environment"
Preserve the entire environment, i.e., it does not set
@@ -131,28 +134,24 @@ The option is ignored if the option \fB\-\-login\fR is specified.
.BR \-s , " \-\-shell" = \fIshell
Run the specified \fIshell\fR instead of the default. The shell to run is
selected according to the following rules, in order:
-.RS 10
-.TP
-o
+.RS
+.IP * 2
the shell specified with
.B \-\-shell
-.TP
-o
+.IP *
the shell specified in the environment variable
.B SHELL
if the
.B \-\-preserve\-environment
option is used
-.TP
-o
+.IP *
the shell listed in the passwd entry of the target user
-.TP
-o
+.IP *
/bin/sh
.RE
.IP
If the target user has a restricted shell (i.e., not listed in
-/etc/shells) the
+/etc/shells), then the
.B \-\-shell
option and the
.B SHELL
@@ -160,11 +159,12 @@ environment variables are ignored unless the calling user is root.
.TP
.BI \-\-session\-command= command
Same as
-.B \-c ,
+.BR \-c ,
but do not create a new session. (Discouraged.)
.TP
.BR \-w , " \-\-whitelist\-environment" = \fIlist
-Don't reset environment variables specified in comma separated \fIlist\fR when clears
+Don't reset the environment variables specified in the
+comma-separated \fIlist\fR when clearing the
environment for \fB\-\-login\fR. The whitelist is ignored for the environment variables
.BR HOME ,
.BR SHELL ,
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/3] Manual pages: setpriv.1: Various minor wording and formatting fixes
2020-06-12 11:19 [PATCH 1/3] Manual pages: runuser.1: Various wording and formatting fixes Michael Kerrisk (man-pages)
@ 2020-06-12 11:19 ` Michael Kerrisk (man-pages)
2020-06-12 11:19 ` [PATCH 3/3] Manual pages: setpriv.1: warn users of restrictions on capability changes Michael Kerrisk (man-pages)
2020-06-15 9:37 ` [PATCH 1/3] Manual pages: runuser.1: Various wording and formatting fixes Karel Zak
2 siblings, 0 replies; 4+ messages in thread
From: Michael Kerrisk (man-pages) @ 2020-06-12 11:19 UTC (permalink / raw)
To: mtk.manpages, Karel Zak; +Cc: util-linux
Signed-off-by: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>
---
sys-utils/setpriv.1 | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/sys-utils/setpriv.1 b/sys-utils/setpriv.1
index 939b69a3a..3794a917e 100644
--- a/sys-utils/setpriv.1
+++ b/sys-utils/setpriv.1
@@ -33,7 +33,7 @@ Clear supplementary groups.
.TP
.BR \-d , " \-\-dump"
Dump the current privilege state.
-Can be specified more than once to show extra,
+This option can be specified more than once to show extra,
mostly useless, information. Incompatible with all other options.
.TP
.B \-\-groups \fIgroup\fR...
@@ -55,14 +55,17 @@ where \fIN\fR is the internal capability index used by Linux.
.B +all
and
.B \-all
-can be used to add or remove all caps. The set of capabilities starts out as
+can be used to add or remove all caps.
+.IP
+The set of capabilities starts out as
the current inheritable set for
.BR \-\-inh\-caps ,
the current ambient set for
.B \-\-ambient\-caps
and the current bounding set for
.BR \-\-bounding\-set .
-If you drop something from the bounding set without also dropping it from the
+.IP
+If you drop a capability from the bounding set without also dropping it from the
inheritable set, you are likely to become confused. Do not do that.
.TP
.B \-\-keep\-groups
@@ -170,11 +173,16 @@ to fail at AppArmor's whim.
.TP
.B \-\-reset\-env
Clears all the environment variables except TERM; initializes the environment variables HOME, SHELL, USER, LOGNAME
-according to the user's passwd entry; sets PATH to \fI/usr/local/bin:/bin:/usr/bin\fR for a regual user and to
+according to the user's passwd entry; sets PATH to \fI/usr/local/bin:/bin:/usr/bin\fR for a regular user and to
\fI/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\fR for root.
.sp
-The environment variable PATH may be different on systems where /bin and /sbin
-are merged into /usr. The environment variable SHELL defaults to \fI/bin/sh\fR if none is given in the user's
+The environment variable PATH may be different on systems where
+.I /bin
+and
+.I /sbin
+are merged into
+.IR /usr .
+The environment variable SHELL defaults to \fI/bin/sh\fR if none is given in the user's
passwd entry.
.TP
.BR \-V , " \-\-version"
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 3/3] Manual pages: setpriv.1: warn users of restrictions on capability changes
2020-06-12 11:19 [PATCH 1/3] Manual pages: runuser.1: Various wording and formatting fixes Michael Kerrisk (man-pages)
2020-06-12 11:19 ` [PATCH 2/3] Manual pages: setpriv.1: Various minor " Michael Kerrisk (man-pages)
@ 2020-06-12 11:19 ` Michael Kerrisk (man-pages)
2020-06-15 9:37 ` [PATCH 1/3] Manual pages: runuser.1: Various wording and formatting fixes Karel Zak
2 siblings, 0 replies; 4+ messages in thread
From: Michael Kerrisk (man-pages) @ 2020-06-12 11:19 UTC (permalink / raw)
To: mtk.manpages, Karel Zak; +Cc: util-linux
The kernel imposes various restrictions on the changes that can be
made to the inheritable, ambient, and bounding sets. Warn the user
about that.
Signed-off-by: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>
---
sys-utils/setpriv.1 | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/sys-utils/setpriv.1 b/sys-utils/setpriv.1
index 3794a917e..42d1a2fb9 100644
--- a/sys-utils/setpriv.1
+++ b/sys-utils/setpriv.1
@@ -65,6 +65,22 @@ the current ambient set for
and the current bounding set for
.BR \-\-bounding\-set .
.IP
+Note the following restrictions (detailed in
+.BR capabilities (7))
+regarding modifications to these capability sets:
+.RS
+.IP * 2
+A capability can be added to the inheritable set only if it is
+currently present in the bounding set.
+.IP *
+A capability can be added to the ambient set only if it is currently
+present in both the permitted and inheritable sets.
+.IP *
+Notwithstanding the syntax offered by
+.BR setpriv ,
+the kernel does not permit capabilities to be added to the bounding set.
+.RE
+.IP
If you drop a capability from the bounding set without also dropping it from the
inheritable set, you are likely to become confused. Do not do that.
.TP
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/3] Manual pages: runuser.1: Various wording and formatting fixes
2020-06-12 11:19 [PATCH 1/3] Manual pages: runuser.1: Various wording and formatting fixes Michael Kerrisk (man-pages)
2020-06-12 11:19 ` [PATCH 2/3] Manual pages: setpriv.1: Various minor " Michael Kerrisk (man-pages)
2020-06-12 11:19 ` [PATCH 3/3] Manual pages: setpriv.1: warn users of restrictions on capability changes Michael Kerrisk (man-pages)
@ 2020-06-15 9:37 ` Karel Zak
2 siblings, 0 replies; 4+ messages in thread
From: Karel Zak @ 2020-06-15 9:37 UTC (permalink / raw)
To: Michael Kerrisk (man-pages); +Cc: util-linux
On Fri, Jun 12, 2020 at 01:19:31PM +0200, Michael Kerrisk (man-pages) wrote:
> login-utils/runuser.1 | 70 +++++++++++++++++++++----------------------
> 1 file changed, 35 insertions(+), 35 deletions(-)
All 3 patches applied. Thanks.
Karel
--
Karel Zak <kzak@redhat.com>
http://karelzak.blogspot.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-06-15 9:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-12 11:19 [PATCH 1/3] Manual pages: runuser.1: Various wording and formatting fixes Michael Kerrisk (man-pages)
2020-06-12 11:19 ` [PATCH 2/3] Manual pages: setpriv.1: Various minor " Michael Kerrisk (man-pages)
2020-06-12 11:19 ` [PATCH 3/3] Manual pages: setpriv.1: warn users of restrictions on capability changes Michael Kerrisk (man-pages)
2020-06-15 9:37 ` [PATCH 1/3] Manual pages: runuser.1: Various wording and formatting fixes Karel Zak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).