# $Id: README,v 2.47 2012/10/09 17:00:22 ksb Exp $

[You are going to need the msrc tools to build this.  It is included
 in the package "install_base". -- ksb]


Once in a while you want a mortal login to be able to take superuser actions.
Say mount a cdrom, or start/stop their own application that runs as under
a pseudo-user account.  But you really don't want to give away a superuser
shell, or even a shell as the application account.  That's where you need
a program like this one.

This program is different from:
	original op  (from Tom Christiansen)
	David Koblas's version of op
	super
	sudo
	pfexec (from Sun)
	sud
	and the standard su or newgrp
But I think it is more secure and more useful than those.  See op.man,
op.html, config.html, and refs.html for details about why I continue to
support op.

The biggest win is that an auditor can (believe they) understand the
configuration file.  The simple structure and close proximity of all the
factors that make up a rule helps a lot.  I'd rather explain this rule to
an auditor than any sudoers rule:

	mount	/sbin/mount -t cd9660 -o ro,nosuid,extatt /dev/cd0 /$1 ;
		$1=^cdrom$
		groups=^packers$,^wheel$
		uid=root gid=operator

My Customers like op better for the online usage help:
	$ op -l
	op mount cdrom
	op unmount cdrom
	$ op mount cdrom

Op was originally developed at Convex by Tom Christiansen, and subsequently
described in a USENEX LISA proceedings.  This version was developed entirely
from the description that was published by David Koblas.  It has been
extensively reworked by ksb to add many features and sanity checks (op -S).
Reference <comp.sources.unix/volume26/op> on any mirror site for the
source I started with.

If you use the Koblas version of op you need only check for backslash quotes
on $ in rules, and the use of his version of inline scripts.  Switching to
my quoting rules ($$ -> $ from \$ -> $) is pretty easy, and my version of the
in-line script is also easy.  One other thing is that the first DEFAULT rule
in access.cf applies to any other file of rule, unless they include a DEFAULT
rule.

If you want authorization as well as authentication you need to learn about
helmets and jackets.  There is a package "op-jacket" (aka libexec/jacket)
that contains some example jacket/helmet programs.  Feel free to submit
yours for inclusion in the next release.

Report bugs to op at-no-spam-a-lot ksb dot npcguild dot org, please.

--
KS Braunsdorf, Oct 2012,  op at ksb.nospam.npcguild.org.pinkless