1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
# This file lists commands that super(1) will execute for you as root.
# See the super.tab(5) man page for information.
# Global options =========================================================
#
# Shell patterns are usually much more convenient to deal with in
# a super.tab file.
:global patterns=shell
# Limits on arguments:
## # 0 or 1 argument per command
## :global nargs=0-1
# Arguments must be simple words w/o characters that may special to shells.
# ==> N.B. Put this *after* you change the "patterns=xxx" option
#
:if $PATTERNS == shell :global arg1-99="[[-/:+.,_a-zA-Z0-9]]"
:if $PATTERNS != shell :global arg1-99="^[-/:+.,_a-zA-Z0-9]*$$"
# Log super actions to a file, under uid=sysmgr. (Note that loguid has to
# be part of same :global_options entry as logfile.)
:global logfile=/var/log/super.log loguid=sysmgr
# Mail msgs regarding super errors to user joeblow (default is no mail):
# :global mail="/usr/bin/mailx -s '*** super ***' joeblow"
# Also log via syslog (just for demonstration :-).
# :global syslog=y syslog_error=auth.local1 syslog_success="LOG_INFO | LOCAL2"
# This says the user doesn't need to re-enter password if super cmds are
# issued frequently (so that we "know" they are coming from one person).
:global renewtime=y
# =======================================================================
# Give access to line printer commands to some users outside office hours.
# (During office hours, the regular system manager keeps these functions.)
#
:define OfficeHours {8:00-12:00,13:00-17:00}/{mon,tue,wed,thu,fri}
# Some line printer commands that we want to give away to certain users.
# (The asterisk in the FullPath is replaced by the command; thus
# typing super enable executes /usr/bin/enable.)
:define LP_commands {enable,disable,lpstat}::/usr/bin/* \
{lpadmin,lpsched,lpshut}::/usr/lib/*
# The users who can use the line printer commands, and the hosts
# from which they can use the commands:
#
:define LP_users jack@bucket jill@hill
# During non-office hours, the following people can use the LP_commands.
# (Note the use of "!time" to mean time _not_ in the $OfficeHours range.)
$LP_commands $LP_users !time~$OfficeHours
# =======================================================================
# The people who can use timeout/restart are:
#
:define TimeoutUsers :operator :wheel gv phillips srk
# timeout and restart
timeout /usr/local/bin/timeout $TimeoutUsers \
info="Temporarily stop any processes of any user." \
password=y
echo_nopw /bin/echo $TimeoutUsers \
info="echo args" \
password=n
echo_pw /bin/echo $TimeoutUsers \
info="echo args" \
password=y
restart /usr/local/bin/restart $TimeoutUsers \
info="Restart a timeout'd process before the scheduled time."
# =======================================================================
# Restrictions on CD-ROM mounting:
# tas is the only user who may mount cd's on elgar; anybody in
# group xyz may mount cd's on alpha or delta; and anybody on a
# host in the netgroup "india" may mount a CD on the "india" machines.
cdmount /usr/local/bin/cdmount \
uid=root \
info="Mounts a CD-ROM on /cdrom" \
tas@elgar \
:xyz@{alpha,delta} \
@+india
:global patterns=posix/extended
posix1 /bin/echo arg1="(abc.*xyz|zyx.*abc)" user~.*
:global patterns=posix/extended/icase
posix2 /bin/echo arg1="(abc.*xyz|zyx.*abc)" user~.*
|
