1$Id: SUDOCONFIG,v 1.3 2003/06/23 00:41:48 hbo Exp $ 2 3Configuring Sudo for Use with Sudoscript 4 5Configuring sudo to use sudoscript in its default mode, which means 6enabling an audited root shell, is easy. Simply edit sudoers(5) to 7allow the user to run sudoshell and/or ss. Something like the 8following would do the trick: 9 10fred ALL=/usr/local/bin/sudoshell,/usr/local/bin/ss 11 12 13This allow the user fred to run sudoshell and ss as root. (If you have 14installed sudoscript on Linux, the paths will in /usr/bin instead of 15/usr/local/bin.) 16 17The user would invoke sudoshell merely by typing its name, sudoshell, or 18its alias, ss. 19 20Note that the ALL above refers to the systems fred is allowed to run 21ss on. If this sudoers file is shared among many systems, you may not 22want to use ALL. See the man page for sudoers(5) for details. 23 24Non-root Usage 25 26Configuring sudo to enable sudoscript to run as a user other than root 27is slightly more complicated. An example sudoers entry would look like 28this: 29 30ethel ALL=(oracle) /usr/local/bin/ss -u oracle,/usr/local/bin/sudoshell -u oracle 31 32This line would let ethel run ss as oracle. The audited shell would 33have the identity of the oracle user. In the example, the "(oracle)" 34tells sudo to invoke ss as the user oracle. The "-u oracle" tells ss 35it is running in this mode too. Ethel would invoke ss like so: ss -u oracle 36 37If you want to run sudoshell as a user other than root, a Unix group called 38'ssers' must be created. All ss users, and the users they will 39become using ss, must be in this group. In our case, an example /etc/group 40entry might look like this: 41 42ssers:x:92:oracle,ethel 43 44The GID of 92 is just an example. The important things are the name 45of the group, and the group members. 46 47After this group is added, the sudoscriptd daemon must be restarted to 48ensure the permissions on /var/run/sudoscript are set with correct group 49permissions. 50 51User Environment 52 53Sudoscript uses the script(1) command to log activity in the 54shell. This means that the shell is actually executed by script(1), 55not sudoshell or sudo. There is therefore no way to get an effect 56such as that produced by "su - oracle". That is, the shell will have 57the user's original environment, and not that of the oracle user. 58