xref: /original-bsd/old/athena/ksu/ksu.1 (revision 0999a820)
$Source: /mit/kerberos/src/man/RCS/ksu.1,v $
$Author: jtkohl $
$Header: ksu.1,v 4.1 89/01/23 11:38:16 jtkohl Exp $

Copyright (c) 1988 The Regents of the University of California.
All rights reserved.

Redistribution and use in source and binary forms are permitted
provided that the above copyright notice and this paragraph are
duplicated in all such forms and that any documentation,
advertising materials, and other materials related to such
distribution and use acknowledge that the software was developed
by the University of California, Berkeley. The name of the
University may not be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

@(#)su.1 6.7 (Berkeley) 12/7/88

KSU 1 "Kerberos Version 4.0" "MIT Project Athena"
C
NAME
ksu - substitute user id, using Kerberos
SYNOPSIS
ksu [-flm] [login]
DESCRIPTION
Ksu requests the password for login (or for ``root'', if no login is provided), and switches to that user and group ID. A shell is then invoked.

By default, your environment is unmodified with the exception of USER, HOME, and SHELL. HOME and SHELL are set to the target login's /etc/passwd values. USER is set to the target login, unless the target login has a UID of 0, in which case it is unmodified. The invoked shell is the target login's. This is the traditional behavior of ksu.

The -l option simulates a full login. The environment is discarded except for HOME, SHELL, PATH, TERM, and USER. HOME and SHELL are modified as above. USER is set to the target login. PATH is set to ``/usr/ucb:/bin:/usr/bin''. TERM is imported from your current environment. The invoked shell is the target login's, and ksu will change directory to the target login's home directory.

The -m option causes the environment to remain unmodified, and the invoked shell to be your login shell. No directory changes are made. As a security precaution, if the -m option is specified, the target user's shell is a non-standard shell (as defined by getusershell(3)) and the caller's real uid is non-zero, su will fail.

If the invoked shell is csh, the -f option prevents it from reading the .cshrc file. Otherwise, this option is ignored.

Only users with root instances listed in /.klogin may ksu to ``root'' (The format of this file is described by rlogin(1).). When attempting root access, ksu attempts to fetch a ticket-granting-ticket for ``username.root@localrealm'', where username is the username of the process. If possible, the tickets are used to obtain, use, and verify tickets for the service ``rcmd.host@localrealm'' where host is the canonical host name (as determined by krb_get_phost (3)) of the machine. If this verification fails, the ksu is disallowed (If the service ``rcmd.host@localrealm'' is not registered, the ksu is allowed.).

By default (unless the prompt is reset by a startup file) the super-user prompt is set to ``#'' to remind one of its awesome power.

When not attempting to switch to the ``root'' user, ksu behaves exactly like su (1).

"SEE ALSO"
su(1), csh(1), login(1), rlogin(1), sh(1), krb_get_phost(3), passwd(5), group(5), environ(7)