Synopsis
The Cooperative Computing Laboratory Sub-Identity Toolkit is a set of utilities and a Pluggable Authentication Module that provides users with the ability to create sub-users of themselves. Standard Unix permissions checks prevent these subordinate users from accessing their parent user’s files.
The Toolkit comes packaged with a set of five utilities and a pluggable authentication module, pam_subid.so. The utilities and their purposes are as follows:
- subuseradd creates a named subuser of the calling user.
- subuserdel deletes a named subuser of the calling user, optionally deleting all files owned by the subuser.
- subusersu acts like ‘su’, invoking the identity of the named subuser.
- subusersudo acts like ‘sudo’, running a given command as the named subuser.
- subuserchown acts like ‘chown’, changing the ownership of the given files to the named subuser (or to the calling user).
The pluggable authentication module, pam_subid.so, allows various programs and services (such as ‘su’) to check whether the named user is a subuser of the calling user, and implicitly allow such actions. So, if there is a line in /etc/pam.d/su saying auth sufficient pam_subid.so, then if alice has a sub-user bob, then alice can ‘su bob’ without having to enter a password. The module is, however, somewhat incomplete, and suggestions/patches are quite welcome.
Documentation
- subuseradd(1) .html .ps .pdf
- subuserdel(1) .html .ps .pdf
- subusersu(1) .html .ps .pdf
- subusersudo(1) .html .ps .pdf
- subuserchown(1) .html .ps .pdf
- subusers(5) .html .ps .pdf - a description of the file format of
/etc/subusers - subusers(7) .html .ps .pdf - an overview of the subuser toolkit
Downloads
The latest release can be downloaded from here: subid-current.tgz.
