SUAUTH(5) 文件格式和转化 SUAUTH(5)

suauth - 详细的 su 控制文件

/etc/suauth

The file /etc/suauth is referenced whenever the su command is called. It can change the behaviour of the su command, based upon:
1) the user su is targeting

2) 执行 su 命令的用户 (或者他可能属于的组)

文件格式为:以 # 开头的行视为注视,并被忽略;

to-id:from-id:ACTION

Where to-id is either the word ALL, a list of usernames delimited by "," or the words ALL EXCEPT followed by a list of usernames delimited by ",".

from-id is formatted the same as to-id except the extra word GROUP is recognized. ALL EXCEPT GROUP is perfectly valid too. Following GROUP appears one or more group names, delimited by ",". It is not sufficient to have primary group id of the relevant group, an entry in /etc/group(5) is necessary.

动作只可以使用如下当前支持的选项。

DENY

su 的尝试在询问密码之前就被拒绝。

NOPASS

su 尝试自动成功,而且不询问密码。

OWNPASS

为了成功执行 su,用户必须提供自己的密码。将会提示他们这样。

注意,有三个用冒号分割的字段。冒号旁边不能有空格。也请注意,这个文件会被一行一行地依次检查,会使用第一个可用的规则,而不会继续检查文件。这可以让系统管理员使系统尽量符合其期望。

# sample /etc/suauth file
#
# A couple of privileged usernames may
# su to root with their own password.
#
root:chris,birddog:OWNPASS
#
# Anyone else may not su to root unless in
# group wheel. This is how BSD does things.
#
root:ALL EXCEPT GROUP wheel:DENY
#
# Perhaps terry and birddog are accounts
# owned by the same person.
# Access can be arranged between them
# with no password.
#
terry:birddog:NOPASS
birddog:terry:NOPASS
#

/etc/suauth

可能会有很多潜在问题。文件解析器尤其不能容忍语法错误,不能有无意义的空白符(除了行首和行尾),并且使用特定的标记分割不同的事情。

An error parsing the file is reported using syslogd(8) as level ERR on facility AUTH.

su(1).
2020-01-23 shadow-utils 4.8.1