summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMiles Bader <miles@gnu.org>1997-05-26 21:53:56 +0000
committerMiles Bader <miles@gnu.org>1997-05-26 21:53:56 +0000
commitb4447ed54831cbf4b49b96ed841faaacec6e26b6 (patch)
treee68dca9255e01fa9edb3308cf7609290d248c770
parent2e8c8ad17d3a6e063a63fbbb5d51ad151df3182f (diff)
Initial checkin
-rw-r--r--utils/frobauth.doc83
1 files changed, 83 insertions, 0 deletions
diff --git a/utils/frobauth.doc b/utils/frobauth.doc
new file mode 100644
index 00000000..e4d1358f
--- /dev/null
+++ b/utils/frobauth.doc
@@ -0,0 +1,83 @@
+ -- Hurd process authentication frobbing commands --
+
+addauth -- Adds additional authority to selected processes, without changing
+ their identity (unless they previously had none)
+rmauth -- Removes authority
+setauth -- Changes the identity and authority of selected processes
+su -- Changes the identity and authority of selected processes, saving enough
+ authority to later undo the change
+unsu -- Attempts to undo the results of a previous su command
+
+Examples:
+
+As these commands effective existing processes rather than creating
+subshells, the following are all typed to the same shell.
+
+Starting with the ids I get from logging in as miles (the `ids' command shows
+all the ids in the process it was invoked from):
+
+ (utils) ids -tn
+ euids=miles egids=10 auids=miles,miles agids=10,10
+
+Note that first euid/egids is the traditional unix effective uid/gid, and,
+for instance, determines what identity files are created with; the 1st and
+2nd auids/agids are the posix `real' and `saved' ids. Now I add root
+authority:
+
+ (utils) addauth root
+ Password:
+ (utils) ids -tn
+ euids=miles,root egids=10,wheel auids=miles,miles agids=10,10
+
+The main id is still miles, but an effective root id is also present, meaning
+that the process has root privileges. The traditional `id' command hasn't
+yet been changed to print extended hurd ids, so it only knows about the
+additional group:
+
+ (utils) id
+ uid=9427(miles) gid=10 groups=10,0(wheel)
+
+Removing root puts us back where we started:
+
+ (utils) rmauth root
+ (utils) ids -tn
+ euids=miles egids=10 auids=miles,miles agids=10,10
+
+Now if we use su instead, it actually changes our process's identity (but
+note that the old ids are still around as available ids -- this means they
+the only privilege they grant is to become effective ids):
+
+ (utils) su
+ Password:
+ (utils) ids -tn
+ euids=root egids=wheel auids=root,root,miles,miles agids=wheel,wheel,10,10
+ (utils) id
+ uid=0(root) gid=0(wheel) groups=0(wheel)
+
+We can undo the su with unsu:
+
+ (utils) unsu
+ (utils) ids -tn
+ euids=miles egids=10 auids=miles,miles agids=10,10
+
+Now lets su again, to a different user:
+
+ (utils) su thomas
+ Password:
+ (utils) ids -tn
+ euids=thomas egids=11 auids=thomas,thomas,miles,miles agids=11,11,10,10
+
+If we now use another su command, instead of su, we can swap our identity;
+we don't need a password to do this, since the old ids are still there as
+available ids.
+
+ (utils) su miles
+ (utils) ids -tn
+ euids=miles egids=10 auids=miles,miles,thomas,thomas agids=10,10,11,11
+
+Now if we give unsu, we'll become thomas for good (this same effect may be
+had in one step with the `su --no-save' or `setauth' commands):
+
+ (utils) unsu
+ (utils) ids -tn
+ euids=thomas egids=11 auids=thomas,thomas agids=11,11