From 083ccc2fcc8a9adc4c5c318c70d66cea8670fb75 Mon Sep 17 00:00:00 2001 From: Jakob Kaivo Date: Mon, 1 Feb 2021 13:16:40 -0500 Subject: add some notes on configuration --- README.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/README.md b/README.md index d7593e1..9430233 100644 --- a/README.md +++ b/README.md @@ -35,3 +35,26 @@ casual inspection of which accounts are allowed to elevate privileges), and is the location of all complexity. It is responsible for parsing `/etc/privexec.conf` and determining whether the given user is authorized to run the given command. + +Configuration is done via `/etc/privexec.conf`. The format is intentionally +strict. Each may be blank, a comment (beginning with a '#' character in the +first column), or a directive. Directives are of the form: + + [command] + +Where `` is one of `authorized`, `authenticate`, or `deny`; +`` is either a username or a group name prepended with ':', and +`[command]` is an optional command. Tokens must be separated by exactly one +space. Additional white space is not allowed. + +The entire configuration file is parsed whenever `privexec` invokes `check`. +Any syntax errors will result in failure. Privilege checking is performed so +as to be most restrictive. In order from least to most: + + `authorized` - The user is authorized to execute the associate command + without further interaction. + + `authenticate` - The user must authenticate themself before the command + is executed. This is handled by PAM with the service name `privexec`. + + `deny` - The user is not permitted to execute the command. -- cgit v1.2.1