1$Id: SUDOCONFIG,v 1.3 2003/06/23 00:41:48 hbo Exp $
2
3Configuring Sudo for Use with Sudoscript
4
5Configuring sudo to use sudoscript in its default mode, which means
6enabling an audited root shell, is easy. Simply edit sudoers(5) to
7allow the user to run sudoshell and/or ss. Something like the
8following would do the trick:
9
10fred  ALL=/usr/local/bin/sudoshell,/usr/local/bin/ss
11
12
13This allow the user fred to run sudoshell and ss as root. (If you have
14installed sudoscript on Linux, the paths will in /usr/bin instead of
15/usr/local/bin.)
16
17The user would invoke sudoshell merely by typing its name, sudoshell, or
18its alias, ss.
19
20Note that the ALL above refers to the systems fred is allowed to run
21ss on.  If this sudoers file is shared among many systems, you may not
22want to use ALL. See the man page for sudoers(5) for details.
23
24Non-root Usage
25
26Configuring sudo to enable sudoscript to run as a user other than root
27is slightly more complicated. An example sudoers entry would look like
28this:
29
30ethel   ALL=(oracle) /usr/local/bin/ss -u oracle,/usr/local/bin/sudoshell -u oracle
31
32This line would let ethel run ss as oracle. The audited shell would
33have the identity of the oracle user. In the example, the "(oracle)"
34tells sudo to invoke ss as the user oracle. The "-u oracle" tells ss
35it is running in this mode too. Ethel would invoke ss like so: ss -u oracle
36
37If you want to run sudoshell as a user other than root, a Unix group called
38'ssers' must be created. All ss users, and the users they will
39become using ss, must be in this group. In our case, an example /etc/group
40entry might look like this:
41
42ssers:x:92:oracle,ethel
43
44The GID of 92 is just an example. The important things are the name
45of the group, and the group members.
46
47After this group is added, the sudoscriptd daemon must be restarted to
48ensure the permissions on /var/run/sudoscript are set with correct group
49permissions.
50
51User Environment
52
53Sudoscript uses the script(1) command to log activity in the
54shell. This means that the shell is actually executed by script(1),
55not sudoshell or sudo.  There is therefore no way to get an effect
56such as that produced by "su - oracle". That is, the shell will have
57the user's original environment, and not that of the oracle user.
58