The runas.access file contains access control entries for allowing users to run a process
with a modified effective user and/or group id using runas(8).
Lines beginning with `#' are ignored. The maximum size of each field is 1024 bytes. The maximum size for a single access entry is 2048 bytes. Each access control entry consists of a line containing whitespace between individual fields of the form:
basename path runuid rungid args reason accesslist
A unique, alphanumeric mnemonic for each operator function.
path
The complete pathname of the program to run, as associated with the mnemonic basename. If the TIGHT_CHECKING option was defined at compile time, then the file this path refers to cannot be a symbolic link and cannot be world nor group writable.
runuid
The uid or user name of the user to change to before executing path. A runuid of ``null'' or ``-1'' can be specified if the effective uid of the process is to remain unchanged.
rungid
The gid or group name of the group to change to before executing path. A rungid of ``null'' or ``-1'' can be specified if the effective gid of the process is to remain unchanged.
args
Specifies if arguments should be allowed to be passed to path. Case insensitive boolean settings of ``yes'' or ``no'' are valid.
reason
Specifies if the user should be prompted for a reason why basename is to be executed. The response must be more than 3 characters in length and will be sent to syslogd. Case insensitive boolean settings of ``yes'' or ``no'' are valid.
accesslist
A comma seperated list of uids, usernames, gids, groupnames, and/or netgroups allowed to execute path as runuid.rungid. Unless specified by a preceding ``-'', each comma seperated uid or username grants access to execute path. (A ``+'' is allowed before each token in the accesslist to denote ``positiveness'' for clarity, but is not necessary as this is the default inferred access value).
Group entries must be of the form:
+%group
The above will add an access list entry for each user listed in group to execute path while entries of the form:
-%group
will remove access list entries for executing path for the users named in group.
Netgroup entries must be of the form:
+@netgroup
The above will add an access list entry for each user listed in netgroup to execute path while entries of the form:
-@netgroup
will remove access list entries for executing path for the users named in netgroup.
Positive and negative entries can be combined in a single accesslist to provide flexibility. The example accesslist:
+@netgroup,-username
grants access to all users listed in netgroup, except username, to run path.
The example accesslist:
%group,@netgroup
grants access to all users listed in group group and netgroup netgroup, to run path.
To ensure that negative entries are not removed before their conterpart positive entries are added, the accesslist is internally sorted so that all positive entries are added before any negative entries are removed.
The example runas.access entry:
* * consult staff yes no %monitor
would let users belonging in group monitor to run commands as user consult and group staff.
runas(8),
syslogd(8),
netgroup(5),
group(5)