From b529f046c9a64ac5fcfa60747af940cf972b3ebc Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Sun, 6 Nov 2011 15:56:34 -0600 Subject: Actually move the kde files that were renamed in the last commit --- doc/kdesu/index.docbook | 320 ------------------------------------------------ 1 file changed, 320 deletions(-) delete mode 100644 doc/kdesu/index.docbook (limited to 'doc/kdesu/index.docbook') diff --git a/doc/kdesu/index.docbook b/doc/kdesu/index.docbook deleted file mode 100644 index 81c71cf17..000000000 --- a/doc/kdesu/index.docbook +++ /dev/null @@ -1,320 +0,0 @@ - - - - - -]> - - - - -The &tdesu; handbook - - -&Geert.Jansen; &Geert.Jansen.mail; - - - - -2000 -&Geert.Jansen; - - -&FDLNotice; - -2005-06-07 -1.00.00 - - -&tdesu; is a graphical front end for the &UNIX; -su command. - - -KDE -su -password -root - - - - - -Introduction - -Welcome to &tdesu;! &tdesu; is a graphical front end for the -&UNIX; su command for the K Desktop Environment. -It allows you to run a program as different user by supplying the -password for that user. &tdesu; is an unprivileged program; it uses -the system's su. - -&tdesu; has one additional feature: it can remember passwords -for you. If you are using this feature, you only need to enter the -password once for each command. See for more information on this and a -security analysis. - -This program is meant to be started from the command line or -from .desktop files. Although it asks for the -root password using a &GUI; -dialog, I consider it to be more of a command line <-> &GUI; -glue instead of a pure &GUI; program. - - - - -Using &tdesu; - -Usage of &tdesu; is easy. The syntax is like this: - - -tdesu - - - - file - icon name - - priority - - - - -user - - -command arg1 - arg2 - - - -tdesu -&kde; Generic Options -Qt Generic Options - - -The command line options are explained below. - - - - -This specifies the program to run as root. It has to be passed -in one argument. So if, for example, you want to start a new file manager, you -would enter at the prompt: tdesu - - - -Show debug information. - - - -This option allow efficient use of &tdesu; in -.desktop files. It tells &tdesu; to examine the -file specified by file. If this file is -writable by the current user, &tdesu; will execute the command as the -current user. If it is not writable, the command is executed as user -user (defaults to root). -file is evaluated like this: if -FILE starts with a /, it is -taken as an absolute filename. Otherwise, it is taken as the name of a -global &kde; configuration file. For example: to configure the K display -manager, kdm, you could issue -tdesu - - - icon name -Specify icon to use in the password dialog. You may specify -just the name, without any extension. -For instance to run kfmclient and show the -&konqueror; icon in the password dialog: -tdesu kfmclient - - - - - -Do not keep the password. This disables the keep -password checkbox in the password dialog. - - - priority - -Set priority value. The priority is an arbitrary number between 0 and -100, where 100 means highest priority, and 0 means lowest. The default is -50. - - - - -Use realtime scheduling. - - - - - -Stop the tdesu daemon. See . - - - -Enable terminal output. This disables password keeping. This is -largely for debugging purposes; if you want to run a console mode app, use the -standard su instead. - - - user -While the most common use for &tdesu; is to run a command as -the superuser, you can supply any user name and the appropriate -password. - - - - - - - - -Internals - - -X authentication - -The program you execute will run under the root user id and will -generally have no authority to access your X display. &tdesu; gets -around this by adding an authentication cookie for your display to a -temporary .Xauthority file. After the command -exits, this file is removed. - -If you don't use X cookies, you are on your own. &tdesu; will -detect this and will not add a cookie but you will have to make sure -that root is allowed to access to your display. - - - - -Interface to <command>su</command> - -&tdesu; uses the sytem's su for acquiring -priviliges. In this section, I explain the details of how &tdesu; does -this. - -Because some su implementations (&ie; the one -from &RedHat;) don't want to read the password from -stdin, &tdesu; creates a pty/tty pair and executes -su with it's standard filedescriptors connected to -the tty. - -To execute the command the user selected, rather than an -interactive shell, &tdesu; uses the argument with -su. This argument is understood by every shell that -I know of so it should work portably. su passes -this argument to the target user's shell, and the -shell executes the program. Example command: su . - -Instead of executing the user command directly with -su, &tdesu; executes a little stub program called -tdesu_stub. This stub (running as the -target user), requests some information from &tdesu; over the pty/tty -channel (the stub's stdin and stdout) and then executes the user's -program. The information passed over is: the X display, an X -authentication cookie (if available), the PATH and the -command to run. The reason why a stub program is used is that the X -cookie is private information and therefore cannot be passed on the -command line. - - - - -Password Checking - -&tdesu; will check the password you entered and gives an error -message if it is not correct. The checking is done by executing a test -program: /bin/true. If this succeeds, the -password is assumed to be correct. - - - - -Password Keeping - -For your comfort, &tdesu; implements a keep -password feature. If you are interested in security, you -should read this paragraph. - -Allowing &tdesu; to remember passwords opens up a (small) -security hole in your system. Obviously, &tdesu; does not allow -anybody but your user id to use the passwords, but, if done without -caution, this would lowers root's security level to that of a -normal user (you). A hacker who breaks into your account, would get -root access. &tdesu; tries -to prevent this. The security scheme it uses is, in my opinion at -least, reasonably safe and is explained here. - -&tdesu; uses a daemon, called -tdesud. The daemon listens to a &UNIX; -socket in /tmp for commands. The mode of the -socket is 0600 so that only your user id can connect to it. If -password keeping is enabled, &tdesu; executes commands through this -daemon. It writes the command and root's password to the socket and the -daemon executes the command using su, as describe -before. After this, the command and the password are not thrown -away. Instead, they are kept for a specified amount of time. This is -the timeout value from in the control module. If another request for -the same command is coming within this time period, the client does -not have to supply the password. To keep hackers who broke into your -account from stealing passwords from the daemon (for example, by -attaching a debugger), the daemon is installed set-group-id -nogroup. This should prevent all normal users (including you) from -getting passwords from the tdesud -process. Also, the daemon sets the DISPLAY environment -variable to the value it had when it was started. The only thing a -hacker can do is execute an application on your display. - -One weak spot in this scheme is that the programs you execute -are probably not written with security in mind (like setuid -root programs). This means -that they might have buffer overruns or other problems and a hacker -could exploit those. - -The use of the password keeping feature is a tradeoff between -security and comfort. I encourage you to think it over and decide for -yourself if you want to use it or not. - - - - - -Author - -&tdesu; - -Copyright 2000 &Geert.Jansen; - -&tdesu; is written by &Geert.Jansen;. It is somewhat based on -Pietro Iglio's &tdesu;, version 0.3. Pietro and I agreed that I will -maintain this program in the future. - -The author can be reached through email at &Geert.Jansen.mail;. -Please report any bugs you find to me so that I can fix them. If you -have a suggestion, feel free to contact me. - -&underFDL; -&underArtisticLicense; - - - - - - -- cgit v1.2.1