aboutsummaryrefslogtreecommitdiffstats
path: root/security/super/pkg-descr
blob: ef2e077e8f82c7d1f0ab3bda99881d4aeea1438e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Super is a setuid-root program that offers

    o  restricted setuid-root access to executables, adjustable
    on a per-program and per-user basis;

    o  a relatively secure environment for scripts, so that well-written
    scripts can be run as root (or some other uid/gid), without
    unduly compromising security.

Sample uses:
    -  to call a script that allows users to use mount(8) on
    cdrom's or floppy disks, but not other devices.

    -  to restrict which users, on which hosts, may execute a
    setuid-root program.

    -  to allow groups of trusted users (e.g. an "operator" group) complete
    root access to sets of selected commands such as, say, line-printer
    control commands, without giving away access to other commands,
    and with full logging of all commands used.


Super and sudo
--------------
Sudo --
    Sudo allows a permitted user to execute a command as the superuser.
    Its central design philosophy is that each user can be
    trusted when executing certain commands.  This is implemented
    by allowing each user to execute the restricted commands for
    which s/he is trusted, without giving access to other restricted commands.

Super --
    The design philosophy behind super is two-fold:
    (a) some users can be trusted when executing certain commands;
    (b) there are some commands, such as a script to mount CDROM's,
    which you'd like to be safely executable even by users who
    are NOT trusted.  Although setuid-root scripts are insecure,
    a good setuid-root wrapper around a sensible non-setuid script
    can be hard to break, and super provides that wrapper so that
    even a non-trusted user can use the scripts.

In the author's view, the main differences to the administrator are:

    (1) the files that specify valid user/command combinations have
    a different look and feel.

    (2) super provides a safe wrapper for scripts, so that a
    well-written script can be run safely by ordinary
    users without having to actually trust them.


-- David    (obrien@FreeBSD.org)