1$Id: README,v 1.8 2004/11/15 00:26:30 hbo Exp $ 2 3Sudoscript 2.1.2 4 5See INSTALL for installation instructions 6See CHANGELOG for changes 7See SUDOCONFIG for examples of how to configure sudo 8See Security for notes on security implications of sudoscript 9 10Sudoscriptd/sudoshell are a pair of Perl scripts that provide an 11audited shell using sudo. If you are familiar with sudo, you might 12well ask "doesn't running a shell under sudo defeat the purpose of the 13tool?" Yes and no. One reason for running sudo is to limit what 14commands can be run by users. These scripts do indeed defeat that 15purpose. Another reason to run sudo is to maintain an audit trail of 16commands issued by users with root privilege or otherwise. These 17scripts preserve that audit trail by logging all terminal output to 18log files. 19 20In its default mode, sudoscript enables an audited root shell. Though 21giving a user an unrestricted root shell allows them to evade auditing 22innocently (by running an xterm for example) or maliciously (by 23changing the root password to give just one of way too many examples), 24you may have no choice but to give your users such a shell. This may 25be because they truly need the flexibility of a root shell, or just 26because they think they do and can convince their managers to let them 27have it. Either way, you are stuck with losing your audit trail or 28using something like this tool. 29 30In another mode, sudoscript allows an audited shell as some user other 31than root. Though the implications for system security are less 32severe than with a root shell, there are still ways for user to evade 33sudoscript's audit trail, even when not running as root. See the 34SECURITY document in the distribution for details. 35 36Sudoshell (also ss) is a small Perl script that works in conjunction 37with a logging daemon, sudoscriptd, to log all activity within a 38shell. It uses the Unix script(1) command to create the log. Once 39invoked, all console commands and output are logged to a FIFO. The 40logging daemon reads from this FIFO and manages log files to store the 41data produced. The logs are rotated to ensure that they do not 42overflow the disk space on the logging partition. The daemon is split 43into three parts that allow tagging of each session's data with a 44session ID. This means that different usrs' sessions can be 45separated in the log file using grep. 46 47Sudoshell checks to see if the daemon is running and offers to start 48it if it is not. (It does this with sudo, so you need to have sudo 49access as root to perform this step.) Sudoshell then checks to see if 50it has been run with root privilege, via 'sudo sudoshell' or 51otherwise, or if it has been called with a -u parameter. If not, it 52reinvokes itself using sudo. The script then checks the user's SHELL 53environment variable. If the value of this variable doesn't match one 54of the shells listed in /etc/shells, sudoshell refuses to run. Next 55the logging FIFO is checked. If it exists, sudoshell runs the script 56command using the FIFO as the typescript. If it doesn't exist, 57sudoshell exits 58 59SUDO AND SHELLS 60 61Most root tasks can be accomplished with sudo without running a shell. 62However certain tasks, such as running privileged commands in a pipeline, 63can be more difficult using sudo. Since sudo sometimes prompts for a 64password (depending on how long ago the user last authenticated) you can 65run into quirky situations like this: 66 67 hbo@egbok|509> sudo ls | sudo more 68 Password:Password:(enter password) 69 (enter password) 70 #sudoshell# 71 CVS 72 sudoscriptd 73 sudoscriptd~ 74 sudoshell 75 sudoshell~ 76 hbo@egbok|510> 77 78In this case we get two password prompts, right on top of one another. We enter 79the password for the first prompt, and sudo waits for the next one. Since 80the prompt is on the preceding line, this can be very confusing. 81 82Another place sudo has difficulty is with I/O redirection: 83 84 hbo@egbok|511 > ls -l /tmp/foo 85 -r--r--r-- 1 root other 1464 Mar 25 13:10 /tmp/foo 86 hbo@egbok|512 > sudo ls >>/tmp/foo 87 bash: /tmp/foo: Permission denied 88 hbo@egbok|513 > sudo ls | sudo cat >>/tmp/foo 89 bash: /tmp/foo: Permission denied 90 91But this works: 92 93 hbo@egbok|514 > sudo ls | sudo tee -a /tmp/foo >/dev/null 94 95It's not very intuitive, however. 96 97The problem occurs because the shell implements I/O redirection 98before it invokes the command, which is sudo, NOT ls. 99 100Globbing has problems for the same reason. But in this case, there's 101no good workaround, short of letting the user run a shell: 102 103 hbo@egbok|515 > mkdir fff 104 hbo@egbok|516 > chmod 700 fff 105 hbo@egbok|517 > touch fff/foo 106 hbo@egbok|518 > sudo chown root fff 107 Password: 108 hbo@egbok|519 > cd fff 109 bash: cd: fff: Permission denied 110 hbo@egbok|520 > sudo cd fff 111 sudo: cd: command not found 112 hbo@egbok|521 > sudo rm fff/* 113 rm: cannot remove `fff/*': No such file or directory 114 115The cd fails because cd is a bash built-in, and sudo doesn't know anything 116about it. The "globbing" fails because the shell tries to expand the 117wildcard before executing the command, which is sudo, not rm. 118 119A paper describing these difficulties and lots more is included in the 120distribution. On RPM based systems, it will show up in 121/usr/share/doc/${DIST}/ along with this file. The latest version 122is on the web at http://www.egbok.com/sudoscript/PORCMOLSULB.html. 123 124The latest version of the distribution is at http://www.egbok.com/sudoscript. 125You may contact the author, Howard Owen, at hbo@egbok.com 126 127