Standard preamble:
========================================================================
\\$1
.. ..
.... Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. | will give a
real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
expand to `' in nroff, nothing in troff, for use with C<>.
.tr \(*W-|\(bv\*(Tr . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\}
If the F register is turned on, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.
. de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\}
For nroff, turn off justification. Always turn off hyphenation; it makes
way too many mistakes in technical documents.
Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================
Title "SUDOSHELL 1"
Sudoshell is a small Perl script that works in conjunction with a logging daemon (see sudoscriptd\|(8)) to log all activity within a shell. It uses the unix script\|(1) command to create the log. Once invoked, all console commands and output are logged to a fifo. The logging daemon reads from this fifo and manages log files to store the data produced. The logs are rotated to ensure that they do not overflow the disk space on the logging partition.
When started, sudoshell checks to see if sudoscriptd\|(8) is running and offers to start it if it is not. (It does this with sudo, so you need to have sudo root access to perform this step. See \s-1CONFIGURATION\s0 below) Sudoshell then checks to see if it has been run as the correct user (either root or some other user with the -u switch. See below.) via 'sudo sudoshell' or otherwise. If not, it reinvokes itself using sudo. The script then checks the user's shell. If the \s-1SHELL\s0 environment variable is set, sudoshell uses that. If not, the shell entry from the passwd file is used. If the value thus obtained doesn't match one of the shells listed in /etc/shells, sudoshell refuses to run. Finally, sudoshell execs \fIscript\|(1), pointing the output to a logging \s-1FIFO\s0 maintained by \fIsudoscriptd\|(8), which gives the user a shell as the desired user.
.Vb 10 hbo@egbok|509> sudo ls | sudo more Password:Password:(enter password) (enter password) #sudoshell# CVS sudoscriptd sudoscriptd~ sudoshell sudoshell~ hbo@egbok|510> .Ve
In this case we get two password prompts, right on top of one another. We enter the password for the first prompt, and sudo waits for the next one. Since the prompt is on the preceding line, this can be very confusing.
Another place sudo has difficulty is with I/O redirection:
.Vb 6 hbo@egbok|511 > ls -l /tmp/foo -r--r--r-- 1 root other 1464 Mar 25 13:10 /tmp/foo hbo@egbok|512 > sudo ls >>/tmp/foo bash: /tmp/foo: Permission denied hbo@egbok|513 > sudo ls | sudo cat >>/tmp/foo bash: /tmp/foo: Permission denied .Ve
But this works:
.Vb 1 hbo@egbok|514 > sudo ls | sudo tee -a /tmp/foo >/dev/null .Ve
It's not very intuitive, however.
The problem occurs because the shell implements I/O redirection before it invokes the command, which is sudo, \s-1NOT\s0 ls.
Globbing has problems for the same reason. But in this case, there's no good workaround, short of letting the user run a shell:
.Vb 11 hbo@egbok|515 > mkdir fff hbo@egbok|516 > chmod 700 fff hbo@egbok|517 > touch fff/foo hbo@egbok|518 > sudo chown root fff Password: hbo@egbok|519 > cd fff bash: cd: fff: Permission denied hbo@egbok|520 > sudo cd fff sudo: cd: command not found hbo@egbok|521 > sudo rm fff/* rm: cannot remove `fff/*': No such file or directory .Ve
The cd fails because cd is a bash builtin, and sudo doesn't know anything about it. The \*(L"globbing\*(R" fails because the shell tries to expand the wildcard before executing the command, which is sudo, not rm.
\fIsudoscriptd\|(8)
\fISudoscript\|(3pm)
\fIsudo\|(8)
\fIsudoers\|(5)
\f(CW\*(C`Linux\*(C'
\f(CW\*(C`OpenBSD\*(C'
\f(CW\*(C`FreeBSD\*(C'
\f(CW\*(C`HP-UX\*(C'
.Vb 6 Dan Rich (drich@emplNOoyeeSPAMs.org) Alex Griffiths (dag@unifiedNOcomputingSPAM.com) Bruce Gray (bruce.gray@aNOcSPAMm.org) Chan Wilson (cwilson@coNrOp.sSgPi.cAoMm> Tommy Smith (tsNmOith@eSaPtAeMl.net) Donny Jekels (donny@jNOeSkPeAlMs.com .Ve
sudoscript is free software; you can redistribute it and/or modify it under the same terms as Perl itself.