runauth

(Runs a program with a ticket and optionally a token.)

SYNOPSIS

runauth [-a] [-t] [-f srvtab] [-p principal] [-u user] [-l lifetime] [-r realm] command

REQUIREMENTS

runauth uses either ksrvtgt or kstart to obtain Kerberos tickets. It is designed to work with Kerberos v4, but can be easily changed to use Kerberos v5 by pointing it at k5start instead. For the -t option, some program to obtain AFS tokens from a ticket is needed (normally aklog or afslog). For the -u option, setuidgid from daemontools is used. To support long ticket lifetimes with kstart, a version of ps that supports the standard System V -o option is required.

The paths to all supporting programs used are set at the beginning of this script.

DESCRIPTION

This is a wrapper around ksrvtgt or kstart that obtains a ticket from a local srvtab file, optionally also obtains a token, and then runs command as a specified user (or as root if no user is given with -u), cleaning up the authentication credentials afterwards. By default this script uses ksrvtgt, so the obtained credentials are only good for five minutes.

This script depends on AFS and pubsw, and uses hard-coded paths to pubsw programs so that it has no dependencies on a properly set PATH or any local software installation. The command is run inside a PAG shell to isolate its credentials from other programs running on the same system. It is suitable for use in cron jobs or programs run infrequently from .forward or the equivalent.

OPTIONS

-a

Use kstart instead of ksrvtgt to obtain the ticket. By default, runauth uses ksrvtgt and therefore obtains a ticket with only a five minute lifetime. This flag causes it to use kstart instead and get a ticket with an hour lifetime (this can be increased with the -l flag).

-f srvtab

Use srvtab as the srvtab to authenticate to Kerberos rather than the default of /etc/leland/srvtab.

-l lifetime

Obtain a ticket of lifetime lifetime (in minutes) rather than the default (with -a) of one hour. This option only makes sense in combination with -a. If lifetime is longer than 25 hours, kstart will be run in daemon mode and killed when the command exits.

-p principal

Authenticate as principal rather than the default of rcmd.machine where machine is the current host name (stripped of anything following the first period). Note that principal must use Kerberos v4 syntax, namely name.instance, and not Kerberos v5 syntax.

-r realm

Obtain tickets and tokens in the realm realm rather than the default realm.

-t

Obtain an AFS token as well as a ticket (by running aklog(1) after obtaining a ticket).

-u user

Run the actual command as the user user rather than as root. Use of this option is recommended for any command that doesn't have to actually run as root on the local machine for additional security. If this option is given, command will be run using setuidgid(8).

EXAMPLES

This command:

    runauth -t -u news /news/local/archivegroups -v

runs /news/local/archivegroups -v as the user news, after obtaining tickets and tokens using the rcmd srvtab for the current machine.

This command:

    runauth -a -l 180 -f /etc/leland/srvtab.imap -p service.imap \
        /usr/local/bin/check-imap

obtains a ticket for service.imap using /etc/leland/srvtab.imap as the srvtab, using kstart and obtaining a ticket with a three-hour lifetime, and then runs /usr/local/bin/check-imap.

FILES

/etc/leland/srvtab

The default srvtab used to obtain a ticket.

BUGS

When run with a lifetime of longer than 25 hours, at least Solaris sh prints out an extraneous message when kstart is killed after the job completes, looking like:

    193 Hangup

There seems to be no way to silence this message without rewriting this script in a saner programming language.

Getting tokens in an external realm with a lifetime of longer than 25 hours doesn't work, since kstart doesn't know how to run aklog with the right arguments currently.

The boundary at which kstart is run in daemon mode is chosen for the 25 hour default ticket lifetime at Stanford and may not be appropriate for other sites.

SEE ALSO

aklog(1), ksrvtgt(1), k5start(1), kstart(1), setuidgid(8)

runauth was tested with the afslog implementation from KTH Kerberos. setuidgid is part of daemontools, available from <http://cr.yp.to/daemontools.html>. kstart and k5start are available from <http://www.eyrie.org/~eagle/software/kstart/>.

<http://www.eyrie.org/~eagle/software/runauth/> will have the current version of this program.

AUTHOR

Russ Allbery <rra@stanford.edu>, with contributions from Carol Oliver.

COPYRIGHT AND LICENSE

Copyright 1998, 1999, 2000, 2001, 2002, 2003, 2005 Board of Trustees, Leland Stanford Jr. University.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Last spun 2013-07-01 from POD modified 2009-05-18