NAME
op - operator access
SYNOPSIS
op mnemonic [arg]
DESCRIPTION
The op tool provides a flexible means for system administrators to
grant trusted users access to certain root operations without having to
give them full superuser privileges. Different sets of users may
access different operations, and the security-related aspects of
environment of each operation can be carefully controlled.
OPTIONS
-V Show version number.
-l List available commands. Note that this will only display
commands you are permitted to run.
CONFIGURATION
Configuration entries are read from /etc/op/op.conf and all files in
lexical order from /etc/op/op.d with the extension .conf. Files must
be owned by root and not have group or other permissions set.
The fields of the entries in the configuration files are separated by
white space. Each entry may span several lines and continues until the
next alphanumeric string is found at the beginning of a lines (which is
taken to be the next mnemonic or variable definition, and thus the
beginning of a new entry). Comments may be embedded beginning with a #
character. Each entry in the configuration files has the following
form:
mnemonic command [ arg ... ] ; [ option ... ]
or
var=value
where the fields are interpreted in the following manner:
var a variable name, which must be an upper case alphanumeric
identifier. Variables are expanded when reading options.
value the remainder of the line is taken to be the value of the
variable.
mnemonic
a unique, alphanumeric identifier for each operator function.
command
the full pathname of the executable to be run by op when the
associated mnemonic is chosen.
arg(s) any arguments, either literal or variable, needed by command.
Literal arguments are simply specified directly, like specific
command options (0Gun) or files (/dev/rmt20). Variable
arguments are specified here as $1, $2 ... $n; these are
described more fully in the options section below. $* indicates
any number trailing arguments.
option(s)
a set of optional parameters to specify settings or restoring
for the particular mnemonic, define variable arguments specified
for the command, space and are of the form keyword=value. The
absence of a specific list of values separated by commas, where
appropriate. There should be no white space in each element of
the value string unless quoted. The keyword is any of the
following types:
uid Set the user id to the value specified. The value can be
numeric user ID or a login name. The default is root.
gid Set the group id’s to the values specified. Each value can be a
numeric group ID or a group name.
dir Change the current working directory to the path specified.
chroot Change the root directory to the path specified using chroot.
umask Set the file creation umask to the octal value specified. The
default is to set it to 022.
groups Allow any user who belongs to a group listed here to execute
this op function. The default is not to allow any specific
group. Note that the user and group strings are always treated
as regular expressions, meaning the user name ’a’ will match
*any* user with the letter A in their name. In addition,
group@hostname can be used to explicitly allow access only on
specific hosts.
users Allow any user listed here to execute this op function. The
default is to not allow any specific users. You may use the
regular expression .* to indicate that all users may use this
mnemonic. User expressions are in the form
<user>[@<host>][/<expiry>] where <user> is a regular expression
matched against the current system user, <host> is a regular
expression matched against the systems hostname and <expiry> is
a time in the form YYYYMMDD[hh[mm]] when that users access to
the command expires.
netgroups
Allow any user who belongs to a netgroup listed here to execute
this op function. The default is not to allow any specific
netgroup.
password
Queries the user for a password. If there is an = part the value
is the crypted password required, otherwise the users own
password is asked.
securid
Queries the user for SecureID PIN and code. If op has been
compiled without SecurID support, this option will cause the
command to fail with an error message.
$VAR where VAR is the name of an environment variable. The specified
environment case, simply using $VAR with no = part (as in $USER)
means that this environment variable is inherited unchanged from
the caller’s shell. If the $VAR is an assignment the environment
variable is set to the specified value in the new environment.
environment
Disables the destruction of the users environment.
help Define help for this mnemonic. Defaults to the full command. op
-l will display this help when it lists the available commands.
eg. help="This is some help"
nolog Disables informational logging per command. Useful for cron jobs
to avoid spamming the logs. Note that authentication failures
and other errors will still be logged.
fowners
Specifies the owner and group of the target command executable
as a list of regular expression in the form user:group If the
executables ownership does not match, the command will not be
executed.
fperms As with fowners but matches against the octal permissions of the
executable.
xauth Attempt to propagate the X authority entry for the current
display to the new users X authority file. The DISPLAY
environment variable is also propagated to the new environment.
The destination user is determined by first using the user
specified after xauth=..., then the user specified by uid=...
then finally the root user is used.
$n defines the nth variable argument specified in the command arg
list. The value for this type may be a comma-separated list of
regular expressions using egrep(1). option defines the range of
values allowed for the variable arguments A variable argument
specified as a command arg but not described in the options
section may take on any value. If an argument does not match
any of its permitted values, then a diagnostic is printed and
the command is not executed. When using ’(’ syntax to pass
values to other options, only the next options can use values
from the previous search.
$* is used in the options section to place restriction on the
trailing arguments specified as $* in the args section. If any
of these (possibly many) arguments do not match, then a
diagnostic is printed, and the command is not executed.
There can also be a special entry in the file beginning at the first
non-comment line that can define default values to override the builtin
defaults listed here, yet still be overridden by any entry that wants
to redefine any of the keyword fields described above. It should have
the following format:
DEFAULT keyword_option
where keyword_option is a keyword=value string mentioned above under
options.
It should be noted that if any regular mnemonic entry defines its own
option, the value given for that entry must explicitly include the item
from the DEFAULT line if the default values is to be included. That
is, the options definitions completely override any defaults; they do
not add to them In this way, if a value specified on the DEFAULT line
for users or groups (for example) needs to be "erased" without
redefining new values (that is, we want no users or groups to be
allowed to run the mnemonic), then the default value must be overridden
with nothing (as in users=). For the users or groups fields, such a
null setting has the effect of setting the list of allowable users or
groups to be empty. For the other keywords ( uid, gid, dir, chroot,
and umask), a null setting leaves that attribute as it is upon
invocation of the op program, overriding any defaults.
Another note is that if the command for a mnemonic is MAGIC_SHELL then
a shell (using the users $SHELL environment variable) is created, if
there are arguments in addition to the mnemonic on the command line
then the shell is invoked "-c args".
EXAMPLES
Example /etc/op/op.conf:
# Define some users
OPERATORS=(fred|barry)
# Define hosts that Fred is restricted to
FRED_HOSTS=(alpha|beta)
# Define hosts that Barry is restricted to
BARRY_HOSTS=(theta|gamma)
# Define user/host access list
ACCESS_LIST=fred@FRED_HOSTS|barry@BARRY_HOSTS
# ’op shell’ - gives user a root shell
shell
/bin/su -;
users=ACCESS_LIST
environment
password
help="Root shell"
# ’op reboot’ - reboot system
reboot
/sbin/reboot;
users=ACCESS_LIST
password
help="Reboot system"
# ’op shutdown <time>’ - shutdown at a
# certain time. Restricts argument to
# valid values only
shutdown
/sbin/shutdown -h $1;
users=ACCESS_LIST
$1=(now|[0-1]?[0-9]:[0-9][0-9]|2[0-3]:[0-5][0-9]|+[0-9]+)
help="Shutdown system"
# Switch inetd on and off, shows complex
# shell example and ’string’ arguments. $1
# in this example is expanded by op
inetd /bin/sh -c ’
case $1 in
on) /usr/sbin/inetd -s ;;
off) /usr/bin/pkill inetd ;;
esac
’;
users=ACCESS_LIST
$1=on|off
FILES
/etc/op/op.conf
Access control description file.
/etc/op/op.d/*.conf
Access control description files.
SEE ALSO
sudo(1), su(1), chroot(2), egrep(1)
CREDIT
Op: A flexible Tool for Restricted Superuser Access , originally by Tom
Christiansen , CONVEX Computer Corporation, Proceedings of the Large
Installation Systems Administration III Workshop . Further changes by
Howard Owen , currently maintained by Alec Thomas .
BUG REPORTS TO
alec@swapoff.org
COPYRIGHTS
© Copyright 1991 by David Koblas © Copyright 2002-2005 by Alec Thomas