$Id: SUDOCONFIG,v 1.3 2003/06/23 00:41:48 hbo Exp $ Configuring Sudo for Use with Sudoscript Configuring sudo to use sudoscript in its default mode, which means enabling an audited root shell, is easy. Simply edit sudoers(5) to allow the user to run sudoshell and/or ss. Something like the following would do the trick: fred ALL=/usr/local/bin/sudoshell,/usr/local/bin/ss This allow the user fred to run sudoshell and ss as root. (If you have installed sudoscript on Linux, the paths will in /usr/bin instead of /usr/local/bin.) The user would invoke sudoshell merely by typing its name, sudoshell, or its alias, ss. Note that the ALL above refers to the systems fred is allowed to run ss on. If this sudoers file is shared among many systems, you may not want to use ALL. See the man page for sudoers(5) for details. Non-root Usage Configuring sudo to enable sudoscript to run as a user other than root is slightly more complicated. An example sudoers entry would look like this: ethel ALL=(oracle) /usr/local/bin/ss -u oracle,/usr/local/bin/sudoshell -u oracle This line would let ethel run ss as oracle. The audited shell would have the identity of the oracle user. In the example, the "(oracle)" tells sudo to invoke ss as the user oracle. The "-u oracle" tells ss it is running in this mode too. Ethel would invoke ss like so: ss -u oracle If you want to run sudoshell as a user other than root, a Unix group called 'ssers' must be created. All ss users, and the users they will become using ss, must be in this group. In our case, an example /etc/group entry might look like this: ssers:x:92:oracle,ethel The GID of 92 is just an example. The important things are the name of the group, and the group members. After this group is added, the sudoscriptd daemon must be restarted to ensure the permissions on /var/run/sudoscript are set with correct group permissions. User Environment Sudoscript uses the script(1) command to log activity in the shell. This means that the shell is actually executed by script(1), not sudoshell or sudo. There is therefore no way to get an effect such as that produced by "su - oracle". That is, the shell will have the user's original environment, and not that of the oracle user.