1# $Id: sudoscript.pod,v 1.1 2003/06/04 04:49:04 hbo Exp $ 2=pod 3 4=head1 NAME 5 6sudoscript -a system for audited shells with C<sudo(8)> and C<script(1)> 7 8=head1 DESCRIPTION 9 10C<sudoscript> is a system that audits a shell run under C<sudo(8)> It does this 11using the venerable unix command C<script(1)> The system consists of two 12Perl scripts and one Perl module.. The front-end script is called C<sudoshell(1)> 13(also C<ss(1)>). The backend script is C<sudoscriptd(8)>. The Perl module is 14C<Sudoscript(3pm)>. Each of these have their own man pages which it would 15be well for a system administrator to read before implementing C<sudoscript>. 16This manpage describes where to get more information about sudoscript. 17 18=head1 DOCUMENTATION 19 20C<sudoscript> comes with some documentation that is helpful for system administrators 21who are deploying the system. On Linux, this documentation is in 22/usr/share/doc/sudoscript-${VERSION}. On all other platforms the documentation is 23in /usr/local/doc/sudoscript-${VERSION}. In each case, "${VERSION}" is replaced with the 24version of sudoscript. 25 26=head2 SECURITY 27 28Especially when enabling a root shell, C<sudoscript> cannot prevent a user 29from evading the the audit trail it provides. This is true even if the user is 30not root. The file SECURITY in the distribution and in the documentation directory 31describes this in detail. It should be mandatory reading before any attempt is made 32to deploy C<sudoscript>. 33 34=head2 INSTALLATION 35 36The steps required to install sudoscript are documented in the INSTALL file in 37the distribution and in the documentation directory. 38 39=head2 CONFIGURATION 40 41Given some configuration of the C<sudoers(5)> file, C<sudoscript> can enable 42a root shell, or a shell as some other user. The details of how to go about this 43are in the file SUDOCONFIG in the distribution, and in the documentation directory. 44 45=head2 README 46 47A description of sudoscript that goes into more detail than this man page can be 48found in the README file in the distribution, and in the documentation directory. 49 50=head2 PORCMOLSULB 51 52The paper "The Problem of PORCMOLSULB: Can Root be Controlled in Engineering 53Environments?" is included in the distribution, and in the documentation directory. This 54paper describes the events that lead up to writing C<sudoscript>, and gives some 55idea of why I consider the system useful. 56 57=head2 PORTING 58 59Some thoughts about how to go about porting C<sudoscript> to a new Unix platform 60are given in the PORTING file in the distribution and in the documentation directory. 61 62=head2 WEB SITE 63 64The C<sudoscript> web site is at C<http://www.egbok.com/sudoscript>. New versions 65are released there first, before they hit sourceforge or freshmeat. 66 67=head1 PLATFORMS 68 69C<sudoscript> currently runs on the following platforms: 70 71=over 4 72 73=item C<Linux> 74 75Tested on Red Hat 6.2 through 9, and Debian Woody. 76 77=item C<Solaris> 78 79Latest version tested on Solaris 9/Intel. Earlier versions were tested on 80Solaris 7 and 8/Sparc and Solaris 8/Intel. 81 82=item C<FreeBSD> 83 84Tested on FreeBSD 4.3 85 86=item C<OpenBSD> 87 88Tested on version 3.3 89 90=item C<HP-UX> 91 92Tested on version 11 by Donny Jekels. 93 94=back 95 96=head1 SEE ALSO 97 98sudoscriptd(8) 99 100sudoshell(1) 101 102Sudoscript(3pm) 103 104sudo(8) 105 106sudoers(5) 107 108http://www.egbok.com/sudoscript 109 110=head1 AUTHOR 111 112Howard Owen, E<lt>hbo@egbok.comE<gt> 113 114=head1 COPYRIGHT AND LICENSE 115 116Copyright 2003 by Howard Owen 117 118sudoscript is free software; you can redistribute it and/or modify 119it under the same terms as Perl itself. 120 121"The Problem of PORCMOLSULB" was orginally published in the August 2002 122issue of ;login. The paper is distributed under a Creative Commons license, which 123may be viewed at L<http://creativecommons.org/licenses/by-sa/1.0/>. 124 125=cut 126