Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SUDOSHELL(1)	      User Contributed Perl Documentation	  SUDOSHELL(1)

NAME
	 sudoshell, ss - Run a shell with logging

SYNOPSIS
       sudoshell|ss [-]	[-u|--user username]

VERSION
       This manpage documents version 2.1.2 of sudoshell.

DESCRIPTION
       sudoshell runs the script command with a	fifo as	the typescript.	Used
       in conjunction with sudoscriptd(8) and sudo(8), it provides a way to
       maintain	the sudo audit trail while running a shell.

README
       sudo is a tool used for running programs	with privileges	other than
       those normally possessed	by the user. Often, the	privileges are those
       of the root account, but	they could as well be those of any other user.
       One of sudo's major benefits is the audit trail it provides, as it logs
       each invocation with the	command	name, its arguments and	the user who
       ran it. Because this audit trail	is lost	if a user runs a shell (e.g.
       bash or csh) with sudo, many sites restrict sudo	to not allow such
       usage. Since this can cause problems, (see "SUDO	AND SHELLS") many
       users prefer to retain the root password, even if it means forgoing
       support.	This outcome also results in a loss of the audit trail,	while
       increasing the chances that an unmanaged	system will become a support
       problem later.

       Sudoshell is a small Perl script	that works in conjunction with a
       logging daemon (see sudoscriptd(8)) to log all activity within a	shell.
       It uses the unix	script(1) command to create the	log. Once invoked, all
       console commands	and output are logged to a fifo. The logging daemon
       reads from this fifo and	manages	log files to store the data produced.
       The logs	are rotated to ensure that they	do not overflow	the disk space
       on the logging partition.

       When started, sudoshell checks to see if	sudoscriptd(8) is running and
       offers to start it if it	is not.	 (It does this with sudo, so you need
       to have sudo root access	to perform this	step. See CONFIGURATION	below)
       Sudoshell then checks to	see if it has been run as the correct user
       (either root or some other user with the	-u switch. See below.)	via
       'sudo sudoshell'	or otherwise. If not, it reinvokes itself using	sudo.
       The script then checks the user's shell.	If the SHELL environment
       variable	is set,	sudoshell uses that. If	not, the shell entry from the
       passwd file is used.  If	the value thus obtained	doesn't	match one of
       the shells listed in /etc/shells, sudoshell refuses to run. Finally,
       sudoshell execs script(1), pointing the output to a logging FIFO
       maintained by sudoscriptd(8), which gives the user a shell as the
       desired user.

CONFIGURATION
       sudoshell uses sudo(8) to perform all its authentication	and privilege
       escalation.  The	sudoshell user must therefore be in the	sudoers	file
       (See sudoers(5).)  with an entry	that allows running sudoshell as the
       desired user. See the SUDOCONFIG	file in	the distribution for details.
       (On Linux, this will be in /usr/share/doc/sudoscript-VERSION.
       Everywhere else,	it's in	/usr/local/doc/sudoscript-VERSION.)

SWITCHES
       -   Like	'su -'.	This switch will load the environment of the user you
	   become, rather than retaining yours.

       -u <user>
	   If this switch is given along with a	username, sudoshell will ask
	   sudo	to give	the ss user the	identity of the	user named with	the -u
	   switch. If no -u switch is given, sudoshell will ask	for a root
	   shell.

	   Example:

	   sudoshell -u	oracle

	   The idea of running shells as users other than root came from Donny
	   Jekels.

SUDO AND SHELLS
       Most root tasks can be accomplished with	sudo without running a shell.
       However certain tasks, such as running privileged commands in a
       pipeline, can be	more difficult using sudo. Since sudo sometimes
       prompts for a password (depending on how	long ago the user last
       authenticated) you can run into quirky situations like this:

	 hbo@egbok|509>	sudo ls	| sudo more
	 Password:Password:(enter password)
	 (enter	password)
	 #sudoshell#
	 CVS
	 sudoscriptd
	 sudoscriptd~
	 sudoshell
	 sudoshell~
	 hbo@egbok|510>

       In this case we get two password	prompts, right on top of one another.
       We enter	the password for the first prompt, and sudo waits for the next
       one. Since the prompt is	on the preceding line, this can	be very
       confusing.

       Another place sudo has difficulty is with I/O redirection:

	 hbo@egbok|511 > ls -l /tmp/foo
	 -r--r--r--   1	root	 other	     1464 Mar 25 13:10 /tmp/foo
	 hbo@egbok|512 > sudo ls >>/tmp/foo
	 bash: /tmp/foo: Permission denied
	 hbo@egbok|513 > sudo ls | sudo	cat >>/tmp/foo
	 bash: /tmp/foo: Permission denied

       But this	works:

	 hbo@egbok|514 > sudo ls | sudo	tee -a /tmp/foo	>/dev/null

       It's not	very intuitive,	however.

       The problem occurs because the shell implements I/O redirection before
       it invokes the command, which is	sudo, NOT ls.

       Globbing	has problems for the same reason. But in this case, there's no
       good workaround,	short of letting the user run a	shell:

	 hbo@egbok|515 > mkdir fff
	 hbo@egbok|516 > chmod 700 fff
	 hbo@egbok|517 > touch fff/foo
	 hbo@egbok|518 > sudo chown root fff
	 Password:
	 hbo@egbok|519 > cd fff
	 bash: cd: fff:	Permission denied
	 hbo@egbok|520 > sudo cd fff
	 sudo: cd: command not found
	 hbo@egbok|521 > sudo rm fff/*
	 rm: cannot remove `fff/*': No such file or directory

       The cd fails because cd is a bash builtin, and sudo doesn't know
       anything	about it. The "globbing" fails because the shell tries to
       expand the wildcard before executing the	command, which is sudo,	not
       rm.

BUGS
       Please let me know if you find any.

SEE ALSO
       sudoscript(8)

       sudoscriptd(8)

       Sudoscript(3pm)

       sudo(8)

       sudoers(5)

PREREQUISITES
       sudo - <http://www.courtesan.com/sudo/index.html>

OSNAMES
       "Solaris"

       "Linux"

       "OpenBSD"

       "FreeBSD"

       "HP-UX"

SCRIPT CATEGORIES
       UNIX/System_administration

CONTRIBUTORS
       The following people offered helpful advice and/or code:

	  Dan Rich	 (drich@emplNOoyeeSPAMs.org)
	  Alex Griffiths (dag@unifiedNOcomputingSPAM.com)
	  Bruce	Gray	 (bruce.gray@aNOcSPAMm.org)
	  Chan Wilson	 (cwilson@coNrOp.sSgPi.cAoMm>
	  Tommy	Smith	 (tsNmOith@eSaPtAeMl.net)
	  Donny	Jekels	 (donny@jNOeSkPeAlMs.com

AUTHOR
       Howard Owen, <hbo@egbok.com>

COPYRIGHT AND LICENSE
       Copyright 2002,2003 by Howard Owen

       sudoscript is free software; you	can redistribute it and/or modify it
       under the same terms as Perl itself.

perl v5.32.0			  2020-08-10			  SUDOSHELL(1)

NAME | SYNOPSIS | VERSION | DESCRIPTION | README | CONFIGURATION | SWITCHES | SUDO AND SHELLS | BUGS | SEE ALSO | PREREQUISITES | OSNAMES | SCRIPT CATEGORIES | CONTRIBUTORS | AUTHOR | COPYRIGHT AND LICENSE

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=sudoshell&sektion=1&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help