// This is a SAMPLE file, not to be used in real life // and in fact if used as is, may not actually do // what the comments say it does. // You can change how comments etc work in this file // with the #mode builtin macro. See the man pages // for SUSCPP. // This file assumes the default class is MATCH. // It is meant to give you the idea of what is possible, // not as a substitute for reading the manual. // Internal macros // Control the resource limit for the stack size // to 32MB #define RLIMIT_STACK 32m // Wait for the child process, so we can log resource usage #define WAIT_FOR_CHILD True // Where do we put the timestamp files (directory) #define TIMESTAMP_DIR /root/sus // And we want timestamps written please #define WRITE_TIMESTAMP True // Log via syslog please, and use these parameters #define LOG_TO_SYSLOG True #define LOG_FACILITY LOG_DAEMON #define LOG_LEVEL LOG_INFO #define LOG_IDENT sus // Do not log to a file, but if we did, use these parameters #define LOG_TO_FILE False #define LOG_FILE /local/log/suslog #define LOG_OWNER root #define LOG_GROUP bin #define LOG_PERMS 0600 // How long to wait for a child process #define CHILD_WAIT_TIMEOUT 900s // 15 mins // But don't kill the child on timeout, just log it and keep waiting #define KILL_CHILD_ON_WAIT_TIMEOUT False // How long do timestamps stay current #define TIMESTAMP_TTL 300s // 5 mins // Set the umask for the child #define UMASK 077 // Path for the child #define PATH "/share/gurus/bin:/share/sbin:/share/bin:/share/scripts:"\ "/usr/openwin/bin:/packages/cc/SUNWspro/bin:"\ "/usr/sbin:/usr/bin:/usr/ccs/bin:/usr/lib/nis:"\ "/usr/lib/nfs:/usr/proc/bin" // We want to preserve this environment variable across to // to the child as well as the defaults #define ENV_PRESERVE DEFAULT_ENV_PRESERVE,MATCH(NIS_PATH=.*) // As an aid to readability, define a macro for business hours // Note: HOUR is defined for us by sus. Let business hours // be from 9:00AM to 5:59PM #define IN_BUSINESS_HOURS HOUR >= 9 && HOUR <= 17 //========================================================================= //========================================================================= // I define all my users in one place, namely this section #define gurus USER(name=user1|user2) // Gurus can do anything they like, so make sure they have // no restrictions #if match_class(SOURCE_USERNAME, gurus) # define ALLOWED_REAL_USERS ANY_USER # define ALLOWED_REAL_GROUPS ANY_USER # define ALLOWED_EFFECTIVE_USERS ANY_USER # define ALLOWED_EFFECTIVE_GROUPS ANY_GROUP # define ALLOW_INVALID_SHELL TRUE # define ALLOW_LOGIN_SHELL TRUE #endif // Define some sets of users we can use later // Default class is MATCH, so I can just use a regex // for matching a user, but it would be better to use // a USER class expression IMHO. #define cs_support user5|user6 // Example of combining the USER class with the GROUP class #define its_support USER(ingroup=GROUP(name=its-supp)) // A normal user is any user who is not a guru // and has a home directory under /home #define normal_user AND(NOT(gurus), USER(dir=/home/.*)) #define web_area_nazi user3 //========================================================================= //========================================================================= /// Macros for host based stuff #define web_hosts web1|web2 // Example of the HOST class, just match on the name #define cs_hosts HOST(name=.*\.(cs|itacs)\.uow\.edu\.au) //========================================================================= //========================================================================= // Some examples of using filenames // Will be used to match filenames #define web_areas /web/([^/\.]*|campuses/[^/\.]*)/(docs|dev)(/.*)? // Pull out the realname to match #define web_area_file FILE(realname=web_areas) #define cap_area /packages/cap/bin/.* #define cap_commands FILE(realname=cap_area) // Users can use su to change userid, or the builtin #define SU(x) su - x,LOGIN(x) //============================================================================= // Now for the permissions //============================================================================= // anything goes for the gurus gurus: ANY_COMMAND // the web area admins can do stuff with files in the // webareas, namely control ownerships and permissions // within constraints and can run the scripts to start/stop // tomcat (all as root). web_area_nazi@web_hosts: chown -h|-hR normal_user web_area_file, \ chgrp MATCH(-h|-hR) www.*|its-ftp|stellent web_area_file, \ chmod ANY_ARGUMENT web_area_file, \ /packages/data/tomcat/devel/tomcat.sh start, \ /packages/data/tomcat/devel/tomcat.sh stop // Example of restricting permissions to certain times #if IN_BUSINESS_HOURS cs_support@cs_hosts : cap_commands #endif // How to let a user change to another, but only // on a certain host user8@host3 : SU(account1) // This user can edit /etc/termcap user11 : SUSEDIT("/etc/termcap") // Silly example to show how to restrict a command // to being run in a particular directory // So we can revert later, save the macro set #pushmacros #define IN_DIRECTORY /usr/security user12 : ls NO_ARGUMENTS // Note, we need to get rid of IN_DIRECTORY here // in case there is more stuff added below // Just revert the macros set #popmacros