su/runuser: don't mark --pty as experimental, add it to runuser.1 too

* let's assume that --pty is stable enough that we do not have to remove it ;-)

* add --pty to the runuser.1 man page

Addresses: https://github.com/karelzak/util-linux/issues/760
Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/login-utils/runuser.1 b/login-utils/runuser.1
index 2216722005804dbeaa4f5f9b41a42e9ac9c85b4d..e6b9a8e6bc21ee0560deb02a7a227cc8471b6e3a 100644 (file)
--- a/login-utils/runuser.1
+++ b/login-utils/runuser.1
@@ -101,6 +101,15 @@ sets argv[0] of the shell to
 in order to make the shell a login shell
 .RE
 .TP
+.BR \-P , " \-\-pty"
+Create pseudo-terminal for the session. The independent terminal provides
+better security as user does not share terminal with the original
+session.  This allow to avoid TIOCSTI ioctl terminal injection and another
+security attacks against terminal file descriptors. The all session is also
+possible to move to background (e.g. "runuser --pty -u username -- command &").
+If the pseudo-terminal is enabled then runuser command works
+as a proxy between the sessions (copy stdin and stdout).
+.TP
 .BR \-m , " \-p" , " \-\-preserve\-environment"
 Preserve the entire environment, i.e. it does not set
 .BR HOME ,

diff --git a/login-utils/su.1 b/login-utils/su.1
index 5ae6d6b2dc48ac5a425a9df2992fc0716f7645fb..f2b8fac8a9a160189d7d68f4a525316c60884993 100644 (file)
--- a/login-utils/su.1
+++ b/login-utils/su.1
@@ -115,9 +115,6 @@ security attacks against terminal file descriptors. The all session is also
 possible to move to background (e.g. "su --pty - username -c
 application &"). If the pseudo-terminal is enabled then su command works
 as a proxy between the sessions (copy stdin and stdout).
-
-This feature is EXPERIMENTAL for now and may be removed in the next releases.
-
 .TP
 .BR \-s , " \-\-shell" = \fIshell
 Run the specified \fIshell\fR instead of the default.  The shell to run is