.. and add notes about differences between the utuils.
Reported-by: Lennart Poettering <lennart@poettering.net>
Signed-off-by: Karel Zak <kzak@redhat.com>
.B runuser
does not have to be installed with suid permissions.
.PP
+If the PAM session is not required then recommended solution is to use
+.BR setpriv (1)
+command.
+.PP
When called without arguments,
.B runuser
defaults to running an interactive shell as
.BR pam (8),
.BR shells (5),
.BR login.defs (5),
-.BR su (1)
+.BR su (1),
+.BR setpriv (1)
.SH HISTORY
This \fB runuser\fR command was
derived from coreutils' \fBsu\fR, which was based on an implementation by
.B su
implementations, such as support for a wheel group, have to be
configured via PAM.
+.PP
+.B su
+is mostly designed for unprivileged users, the recommended solution for
+privileged users (e.g. scripts executed by root) is to use non-suid command
+.BR runuser (1)
+that does not require authentication and provide separate PAM configuration. If
+the PAM session is not required at all then the recommend solution is to use
+command
+.BR setpriv (1).
+
.SH OPTIONS
.TP
.BR \-c , " \-\-command" = \fIcommand
.RE
.SH "SEE ALSO"
.BR runuser (8),
+.BR setpriv (1),
.BR pam (8),
.BR shells (5),
.BR login.defs (5)
.SH DESCRIPTION
Sets or queries various Linux privilege settings that are inherited across
.BR execve (2).
+.PP
+The difference between the commands setpriv and su (or runuser) is that setpriv does
+not use open PAM session and does not ask for password. It's simple non-suid wrapper around
+.B execve
+syscall.
.SH OPTION
.TP
.B \-\-clear\-groups
SELinux\-confined (as this tool would do) may prevent the SELinux
restrictions from taking effect.
.SH SEE ALSO
+.BR su (1),
+.BR runuser (1),
.BR prctl (2),
.BR capability (7)
.SH AUTHOR
projects / thirdparty / util-linux.git / commitdiff
