2004-01-12 08:15:49 CST

sid(1) was written before the sudo(1) program entered public awareness,
and is generally comparable to sudo for a user with a sudoers configuration
of "ALL=(ALL) ALL" with the NOPASSWD qualifier, but with vastly extended
capabilities for setting ids on the spawned process.

sid is appropriate for the use of senior administrators who frequently need
access to root or arbitrary ids, and who tightly control access to their
logged-in sessions, and encrypt all connections using their account passwords.

sid allows an authorized user to run programs with arbitrary settings of user
and group ids, including real, effective, and authentication user ids (if auids
are supported), as well as the full auxilliary group list.

sid logs (via syslog) failed attempts to use the set-id feature.

sid does not require a password to be entered at runtime, relying on
membership in group 0 and having a non-null password for access.  While
this makes sid useful in system adminstration scripts, it also raises the
security sensitivity of administrators' active sessions.  This aspect
places greater demands on site admins in the issue of keeping their primary
computers secure via autolocking screensavers or physical barriers to console
access.  Of course, admins maintaining root xterms, or making frequent
use of sudo or long sudo access timeouts are already facing this issue.

In its favor, we have twice seen either sid alone, or the combination of ssh
and sid, as key players in sparing trips to the colocation facility in
scenarios where sudo itself was ineffective.  Sid can also be used in
/etc/init.d script and /etc/*inetd.conf to set identities in much more
comprehensive fashion than sudo(1).

syntax: sid [<request>] | [<ident> [<command>] ]
        <request>   : -version, -help, or -check
		<ident>     : <user>[,euser[,Auser]][:<grp>[,<egrp>][.<grps>]]
        <user>      : a username or user-id
        <euser>     : effective username or user-id
        <grp>       : real groupname or group-id
        <egrp>      : effective groupname or group-id
        <grps>      : period-delimited groupnames &or group-ids
        <command>   : whitespace-delimited args to be exec'd
description:
        by default  : gives username, uid, groupnames, gids.
with changed identity:
        w/ ident    : exec ${SHELL:-sh} (a default)
        w/ command  : exec command
        w/ -command : pass -command as args to ${SHELL:-sh} as in:
                      sid root.wheel -c 'cd /var/yp ; make'  (for csh)