System Administration Commands embeddedsu(1M)
NAME
embeddedsu - allow an application to prompt for credentials
and execute commands as the super user or another user
SYNOPSIS
/usr/lib/embeddedsu [-] [username [arg...]
DESCRIPTION
The embeddedsu command allows an application to prompt the
user for security credentials and then use those credentials
to execute a program as another user or role (see rbac(5)
for information on role-based access control). The default
username is root (super user).
embeddedsu is identical to su(1M), except that the user
interaction is packaged in a form suitable for another pro-
gram to interpret and display. Typically, embeddedsu would
be used to allow a graphical program to prompt for the super
user password and execute a command as the super user,
without requiring that the requesting program be run as the
super user.
PROTOCOL
embeddedsu implements a simple protocol over standard
input, standard output, and standard error. This protocol
consists of three phases, roughly corresponding to PAM ini-
tialization, the PAM dialog, and PAM completion.
Phase 1: Initialization
After starting embeddedsu, the application must send an
initialization block on embeddedsu's standard input. This
block is a text block, as described under "Text Blocks".
There are currently no initialization parameters defined;
the application should send an empty block by sending a line
consisting solely of a period (.).
Phase 2: Conversation
embeddedsu then emits zero or more conversation blocks on
its standard output. Each conversation block may require
zero or more responses.
A conversation block starts with a line consisting of the
word CONV, followed by whitespace, followed by the number of
messages in the conversation block as a decimal integer. The
number of messages may be followed by whitespace and addi-
tional data. This data, if present, must be ignored.
SunOS 5.11 Last change: 10 Feb 2005 1
System Administration Commands embeddedsu(1M)
Each message consists of a line containing a header followed
by a text block, as described under "Text Blocks". A single
newline is appended to each message, allowing the message to
end with a line that does not end with a newline.
A message header line consists of a PAM message style name,
as described in pamstart(3PAM). The message header values
are:
PAMPROMPTECHOF The application is to prompt the user
for a value, with echoing disabled.
PAMPROMPTECHON The application is to prompt the user
for a value, with echoing enabled.
PAMERORMSG The application is to display the
message in a form appropriate for
displaying an error.
PAMTEXTINFO The application is to display the
message in a form appropriate for
general information.
The PAM message style may be followed by whitespace and
additional data. This data, if present, must be ignored.
After writing all of the messages in the conversation block,
if any of them were PAMPROMPTECHOF or
PAMPROMPTECHON, embeddedsu waits for the response
values. It expects the response values one per line, in the
order the messages were given.
Phase 3: Completion
After zero or more conversation blocks, embeddedsu emits a
result block instead of a conversation block.
Upon success, embeddedsu emits a single line containing the
word "SUCES". The word SUCES may be followed by whi-
tespace and additional data. This data, if present, must be
ignored.
Upon failure, embeddedsu emits a single line containing the
word "EROR", followed by a text block as described under
SunOS 5.11 Last change: 10 Feb 2005 2
System Administration Commands embeddedsu(1M)
"Text Bocks". The text block gives an error message. The
word EROR may be followed by whitespace and additional
data. This data, if present, must be ignored.
Text Blocks
Initialization blocks, message blocks, and error blocks are
all text blocks. These are blocks of text that are ter-
minated by a line containing a single period (.). Lines in
the block that begin with a "." have an extra "." prepended
to them.
Internationalization
All messages are localized to the current locale; no further
localization is required.
SECURITY
embeddedsu uses pam(3PAM) for authentication, account
management, and session management. Its primary function is
to export the PAM conversation mechanism to an unprivileged
program. Like su(1M), the PAM configuration policy can be
used to control embeddedsu. The PAM service name used is
"embeddedsu".
embeddedsu is almost exactly equivalent to su(1M) for secu-
rity purposes. The only exception is that it is slightly
easier to use embeddedsu in writing a malicious program
that might trick a user into providing secret data. For
those sites needing maximum security, potentially at the
expense of application functionality, the EXAMPLES section
shows how to disable embeddedsu.
EXAMPLES
In the following examples, left angle brackets (<<<) indi-
cate a line written by embeddedsu and read by the invoking
application. Right angle brackets (>>>) indicate a line
written by the application and read by embeddedsu.
Example 1 Executing a command with the Correct Password
The following example shows an attempt to execute "somecom-
mand" as "someuser", with the correct password supplied:
/usr/lib/embeddedsu someuser -c somecommand
>>>.
<<>>[ correct password ]
SunOS 5.11 Last change: 10 Feb 2005 3
System Administration Commands embeddedsu(1M)
<<>>.
<<>>[ incorrect password ]
[ delay ]
<< |
