AUTHS(C) UNIX System V
Name
auths - list and/or restrict kernel authorizations
Syntax
auths [ -v ] [ -a authlist ] [ -r authlist ] [ -c command ]
Description
auths performs actions associated with system privilege
manipulation. With no arguments, auths returns the kernel
authorizations associated with the current process. All
other uses of auths are discussed below.
Either of the -a or -r options allow the user to alter the
kernel authorizations in order to run a shell or a single
command. The -a option requires a list of comma-separated
authorizations, which become the absolute set of kernel
authorizations for the new process. This new set must be a
subset of the kernel authorizations of the invoking process.
To start a process with a null set of kernel authorizations,
use the empty string ""). The -r option also takes as
argument a comma separated list of authorizations. These
are removed from the authorization set of the invoking
process when forming the kernel authorizations for the new
process.
The argument to the -c option is passed to the user's shell
as specified in the user's /etc/passwd entry which is run as
a single command. The user's shell must support the
-c command
syntax similar to sh(C). When the argument is absent (and
-a or -r is specified), the user's shell is invoked as a
process with adjusted authorizations. Exiting that shell
will resume execution in the previous shell and the original
kernel authorizations will be in effect. This option may be
used to run a command with restricted authorizations, i.e.
fewer than those allowed the user in the protected Password
database entry.
The -v option lists the new kernel authorizations before the
new command or shell is run. It also warns with the -a
option when more authorizations are attempted to be set than
already exist or with the -r option when more authorizations
are attempted to be removed than already exist.
The kernel authorizations are:
execsuid - allows the running of SUID programs
nopromain - does not restrict file access when running
SUID programs
writeaudit - process can write directly to the audit
trail
configaudit - process can change audit subsystem
parameters
suspendaudit - process is not audited by the kernel
chmodsugid - process can set SUID and GID bits on files
chown - process can change file ownership
Examples
To execute a shell without the execsuid kernel
authorization:
auths -r execsuid
To list the current kernel authorizations:
auths
To execute yourprog with no kernel authorizations:
auths -a "" -c yourprog
To execute myprog with chmodsugid and execsuid:
auths -a chmodsugid,execsuid -c myprog
See Also
sh(C), promain(M), getpriv(S), setpriv(S), getprpwent(S),
``Using a Trusted System'' in the User's Guide
(printed 8/28/89) AUTHS(C)