Previous Topic: serevuNext Topic: sesudo


sesu

In the [sesu] section, the tokens control logging on as a user other than yourself, without having to enter the password of the other user.

AlwaysTargetShell

Determines whether to use the target shell (SysV style) or the invoker shell (BSD style). If yes, CA ControlMinder uses the target user shell.

Valid values are yes and no.

Default: no

FilterEnv

Specifies a list of environment variables that sesu does not pass to the shell when the target user is root. Separate variable names with spaces or tabs.

No default.

old_sesu

Determines whether the old or new sesu utility is used.

Valid values include the following:

yes-Use the old sesu utility as it was in previous versions.

no-The new sesu utility calls the native su program (as defined in the SystemSu token) to ensure consistency between su and sesu. If the SystemSu token is not valid, sesu reverts to the old mechanism.

Note: If this token is set to no, the tokens Path, AlwaysTargetShell, sys_env_file, and FilterEnv are ignored.

Default: yes

Path

Specifies the value that sesu uses to set the PATH environment variable. If the token is not set, sesu does not set the PATH variable.

No default.

request_target_password

Specifies whether to request the password of the target user when the old_sesu token is set to no and the user is executing sesu for a non-root user.

Default: yes

UseStrongAuthentication

Specifies whether sesu requests the users to strongly authenticate themselves by providing a One Time Password.

Note: Define the authentication server in the strong_auth_server token of the strong_auth section.

Valid values: yes, no

Default: no

sys_env_file

Specifies an ASCII file containing environment variable values for the sesu session. This token is relevant only when starting sesu with the “‑“ parameter (sesu ‑). The format for each line of the file is variable = value.

Default: None (except for IBM AIX where it is /etc/environment)

SystemSu

Specifies the location of the /bin/su program. Update this token if you use a program in a location other than the default location. When sesu cannot find the authorization daemon, it executes the program specified in this token.

Note: On AIX, replace the system su binary with a symbolic link to the sesu wrapper instead of the sesu binary.

Default: /bin/su

UseInvokerPassword

Determines whether sesu requires the invokers to specify their own passwords. If the token value is no, sesu does not require any password.

Default: no

More information:

sepromote Utility—Enforce Strong Authentication

strong_auth