NAMEop - operator access
SYNOPSISop mnemonic [arg]
DESCRIPTIONThe op tool provides a flexible means for system administrators to grant trusted users access to certain root operations without having to give them full superuser privileges. Different sets of users may access different operations, and the security-related aspects of environment of each operation can be carefully controlled.
OPTIONS-V Show version number. -l List available commands. Note that this will only display commands you are permitted to run.
CONFIGURATIONConfiguration entries are read from /etc/op/op.conf and all files in lexical order from /etc/op/op.d with the extension .conf. Files must be owned by root and not have group or other permissions set. The fields of the entries in the configuration files are separated by white space. Each entry may span several lines and continues until the next alphanumeric string is found at the beginning of a lines (which is taken to be the next mnemonic or variable definition, and thus the beginning of a new entry). Comments may be embedded beginning with a # character. Each entry in the configuration files has the following form: mnemonic command [ arg ... ] ; [ option ... ] or var=value where the fields are interpreted in the following manner: var a variable name, which must be an upper case alphanumeric identifier. Variables are expanded when reading options. value the remainder of the line is taken to be the value of the variable. mnemonic a unique, alphanumeric identifier for each operator function. command the full pathname of the executable to be run by op when the associated mnemonic is chosen. arg(s) any arguments, either literal or variable, needed by command. Literal arguments are simply specified directly, like specific command options (0Gun) or files (/dev/rmt20). Variable arguments are specified here as $1, $2 ... $n; these are described more fully in the options section below. $* indicates any number trailing arguments. option(s) a set of optional parameters to specify settings or restoring for the particular mnemonic, define variable arguments specified for the command, space and are of the form keyword=value. The absence of a specific list of values separated by commas, where appropriate. There should be no white space in each element of the value string unless quoted. The keyword is any of the following types: uid Set the user id to the value specified. The value can be numeric user ID or a login name. The default is root. gid Set the group id's to the values specified. Each value can be a numeric group ID or a group name. dir Change the current working directory to the path specified. chroot Change the root directory to the path specified using chroot. umask Set the file creation umask to the octal value specified. The default is to set it to 022. groups Allow any user who belongs to a group listed here to execute this op function. The default is not to allow any specific group. Note that the user and group strings are always treated as regular expressions, meaning the user name 'a' will match *any* user with the letter A in their name. In addition, group@hostname can be used to explicitly allow access only on specific hosts. users Allow any user listed here to execute this op function. The default is to not allow any specific users. You may use the regular expression .* to indicate that all users may use this mnemonic. User expressions are in the form <user>[@<host>][/<expiry>] where <user> is a regular expression matched against the current system user, <host> is a regular expression matched against the systems hostname and <expiry> is a time in the form YYYYMMDD[hh[mm]] when that users access to the command expires. netgroups Allow any user who belongs to a netgroup listed here to execute this op function. The default is not to allow any specific netgroup. password Queries the user for a password. If there is an = part the value is the crypted password required, otherwise the users own password is asked. securid Queries the user for SecureID PIN and code. If op has been compiled without SecurID support, this option will cause the command to fail with an error message. $VAR where VAR is the name of an environment variable. The specified environment case, simply using $VAR with no = part (as in $USER) means that this environment variable is inherited unchanged from the caller's shell. If the $VAR is an assignment the environment variable is set to the specified value in the new environment. environment Disables the destruction of the users environment. help Define help for this mnemonic. Defaults to the full command. op -l will display this help when it lists the available commands. eg. help="This is some help" nolog Disables informational logging per command. Useful for cron jobs to avoid spamming the logs. Note that authentication failures and other errors will still be logged. fowners Specifies the owner and group of the target command executable as a list of regular expression in the form user:group If the executables ownership does not match, the command will not be executed. fperms As with fowners but matches against the octal permissions of the executable. xauth Attempt to propagate the X authority entry for the current display to the new users X authority file. The DISPLAY environment variable is also propagated to the new environment. The destination user is determined by first using the user specified after xauth=..., then the user specified by uid=... then finally the root user is used. $n defines the nth variable argument specified in the command arg list. The value for this type may be a comma-separated list of regular expressions using egrep(1). option defines the range of values allowed for the variable arguments A variable argument specified as a command arg but not described in the options section may take on any value. If an argument does not match any of its permitted values, then a diagnostic is printed and the command is not executed. When using '(' syntax to pass values to other options, only the next options can use values from the previous search. $* is used in the options section to place restriction on the trailing arguments specified as $* in the args section. If any of these (possibly many) arguments do not match, then a diagnostic is printed, and the command is not executed. There can also be a special entry in the file beginning at the first non-comment line that can define default values to override the builtin defaults listed here, yet still be overridden by any entry that wants to redefine any of the keyword fields described above. It should have the following format: DEFAULT keyword_option where keyword_option is a keyword=value string mentioned above under options. It should be noted that if any regular mnemonic entry defines its own option, the value given for that entry must explicitly include the item from the DEFAULT line if the default values is to be included. That is, the options definitions completely override any defaults; they do not add to them In this way, if a value specified on the DEFAULT line for users or groups (for example) needs to be "erased" without redefining new values (that is, we want no users or groups to be allowed to run the mnemonic), then the default value must be overridden with nothing (as in users=). For the users or groups fields, such a null setting has the effect of setting the list of allowable users or groups to be empty. For the other keywords ( uid, gid, dir, chroot, and umask), a null setting leaves that attribute as it is upon invocation of the op program, overriding any defaults. Another note is that if the command for a mnemonic is MAGIC_SHELL then a shell (using the users $SHELL environment variable) is created, if there are arguments in addition to the mnemonic on the command line then the shell is invoked "-c args".
EXAMPLESExample /etc/op/op.conf: # Define some users OPERATORS=(fred|barry) # Define hosts that Fred is restricted to FRED_HOSTS=(alpha|beta) # Define hosts that Barry is restricted to BARRY_HOSTS=(theta|gamma) # Define user/host access list ACCESS_LIST=fred@FRED_HOSTS|barry@BARRY_HOSTS # 'op shell' - gives user a root shell shell /bin/su -; users=ACCESS_LIST environment password help="Root shell" # 'op reboot' - reboot system reboot /sbin/reboot; users=ACCESS_LIST password help="Reboot system" # 'op shutdown <time>' - shutdown at a # certain time. Restricts argument to # valid values only shutdown /sbin/shutdown -h $1; users=ACCESS_LIST $1=(now|[0-1]?[0-9]:[0-9][0-9]|2[0-3]:[0-5][0-9]|+[0-9]+) help="Shutdown system" # Switch inetd on and off, shows complex # shell example and 'string' arguments. $1 # in this example is expanded by op inetd /bin/sh -c ' case $1 in on) /usr/sbin/inetd -s ;; off) /usr/bin/pkill inetd ;; esac '; users=ACCESS_LIST $1=on|off
FILES/etc/op/op.conf Access control description file. /etc/op/op.d/*.conf Access control description files.
SEE ALSOsudo(1), su(1), chroot(2), egrep(1)
CREDITOp: A flexible Tool for Restricted Superuser Access , originally by Tom Christiansen , CONVEX Computer Corporation, Proceedings of the Large Installation Systems Administration III Workshop . Further changes by Howard Owen , currently maintained by Alec Thomas .
BUG REPORTS TOalec@swapoff.org
COPYRIGHTS(C) Copyright 1991 by David Koblas (C) Copyright 2002-2005 by Alec Thomas OP(1)