CCL | Software | Install | Manuals | Forum | Papers
CCL Home

Research

Software Community Operations

Sub-Identity Toolkit

Synopsis

The Cooperative Computing Laboratory Sub-Identity Toolkit is a set of utilities and a Pluggable Authentication Module that provides users with the ability to create sub-users of themselves. Standard Unix permissions checks prevent these subordinate users from accessing their parent user's files.

The Toolkit comes packaged with a set of five utilities and a pluggable authentication module, pam_subid.so. The utilities and their purposes are as follows:

  • subuseradd creates a named subuser of the calling user.
  • subuserdel deletes a named subuser of the calling user, optionally deleting all files owned by the subuser.
  • subusersu acts like 'su', invoking the identity of the named subuser.
  • subusersudo acts like 'sudo', running a given command as the named subuser.
  • subuserchown acts like 'chown', changing the ownership of the given files to the named subuser (or to the calling user).

The pluggable authentication module, pam_subid.so, allows various programs and services (such as 'su') to check whether the named user is a subuser of the calling user, and implicitly allow such actions. So, if there is a line in /etc/pam.d/su saying auth sufficient pam_subid.so, then if alice has a sub-user bob, then alice can 'su bob' without having to enter a password. The module is, however, somewhat incomplete, and suggestions/patches are quite welcome.

Documentation

Downloads

The latest release can be downloaded from here: subid-current.tgz.

Relevant publications:

This research was supported by the National Science Foundation under grant CNS05-49087.