Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002 Free Software Foundation, Inc. This file is free documentation; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. Introduction: ============= sudosh is a filter and can be used as a login shell. sudosh takes advantage of pty devices in order to sit between the user's keyboard and a program, in this case a shell. sudosh was designed specifically to be used in conjunction with sudo or by itself as a login shell.. sudosh allows the execution of a root shell with logging. Every command the user types within the root shell is logged as well as the output. How is this different than "sudo -s" or "sudo /bin/sh" ? Using "sudo -s" or other methods doesn't log commands typed to syslog. Generally the commands are logged to a file such as .sh_history and if you use a shell such as csh that doesn't support command-line logging you're out of luck. sudosh fills this gap. No matter what shell you use, all of the command lines are logged to syslog (including vi keystrokes.) Installation: ============= Compile sudosh. 1) ./configure 2) make 3) make install 4) sudosh -i Configure sudosh to be used with sudo ===================================== 1) configure /etc/sudoers to allow system administrators to execute /usr/local/bin/sudosh Example entry to /etc/sudoers: -- /etc/sudoers begin -- User_Alias ADMINS=admin1,admin2,admin3 User_Alias DBAS=dba1,dba2,dba3 Cmnd_Alias SUDOSH=/usr/local/bin/sudosh ADMINS ALL=SUDOSH DBAS ALL=(oracle)/usr/local/bin/sudosh -- /etc/sudoers end -- 2) use it. 3) Look at the results with the sudosh-replay command. Example usage to get ROOT ACCESS: -- example usage begin -- # Get access to root dhanks@linux:~> sudo sudosh Password: starting session for dhanks as root,/dev/tty3 (/bin/bash) (root-1108447320) linux:~ # id uid=0(root) gid=0(root) groups=0(root) linux:~ # exit exit dhanks@linux:~> -- example usage end -- Example usage to get ORACLE ACCESS: -- example usage begin -- # Get access to oracle dhanks@linux:~> sudo -u oracle sudosh Password: starting session for dhanks as oracle,/dev/tty3 (/bin/bash) (oracle-1108447391) oracle@linux:~> id uid=1001(oracle) gid=100(users) groups=100(users) oracle@linux:~> exit dhanks@linux:~> -- example usage end -- Configure sudosh to be used as a login shell ============================================ 1) Set the default shell to be used as a login shell. If you do not change the default value /bin/sh will be used. Use the --with-defshell option to configure to set this value. 2) If your system supports /etc/shells, add the absolute path to sudosh to the list. 3) Edit /etc/passwd and set the user's shell to the absolute path of sudosh (generally /usr/local/bin/sudosh unless you change the --prefix) How To Replay Sessions ====================== Use the "sudosh-replay" command to replay previous root sessions. To see a list of available sessions execute "sudosh-replay" by itself. -- example begin -- linux:~ # sudosh-replay Sessions stored in /var/log/sudosh: =================================== dhanks 1 session Wed Oct 20 18:39:00 2004 (ID dhanks-1098322740) Usage: sudosh-replay ID [MULTIPLIER] [MAXWAIT] Example: sudosh-replay dhanks-1098322740 1 2 linux:~ # -- example end-- As we can see there is 1 session available to view on my system at the time of writing this documentation. Use the ID to specify which session you which to replay. The ID is located in the brackets after the date string. In this case our ID is "dhanks-1098322740" To view this session just as the user typed it, execute "sudosh-replay dhanks-1098322740" To merely just output the session data and ignore the timing information, just set the multiplier to 0: "sudosh-replay dhanks-1098322740" 0 The multiplier also works to speed up the session. If you wish to speed up the session 2x, use a multiplier of 2 "sudosh-replay dhanks-1098322740" 2 If you have people that type slowly or if a user goes away from the keyboard, you don't want to sit there and wait for the output. Instead set the MAXWAIT variable. It's set to 1 by default. "sudosh-replay dhanks-1098322740" 2 .5 Basic Installation ================== These are generic installation instructions. The `configure' shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses those values to create a `Makefile' in each directory of the package. It may also create one or more `.h' files containing system-dependent definitions. Finally, it creates a shell script `config.status' that you can run in the future to recreate the current configuration, and a file `config.log' containing compiler output (useful mainly for debugging `configure'). It can also use an optional file (typically called `config.cache' and enabled with `--cache-file=config.cache' or simply `-C') that saves the results of its tests to speed up reconfiguring. (Caching is disabled by default to prevent problems with accidental use of stale cache files.) If you need to do unusual things to compile the package, please try to figure out how `configure' could check whether to do them, and mail diffs or instructions to the address given in the `README' so they can be considered for the next release. If you are using the cache, and at some point `config.cache' contains results you don't want to keep, you may remove or edit it. The file `configure.ac' (or `configure.in') is used to create `configure' by a program called `autoconf'. You only need `configure.ac' if you want to change it or regenerate `configure' using a newer version of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type `./configure' to configure the package for your system. If you're using `csh' on an old version of System V, you might need to type `sh ./configure' instead to prevent `csh' from trying to execute `configure' itself. Running `configure' takes awhile. While running, it prints some messages telling which features it is checking for. 2. Type `make' to compile the package. 3. Optionally, type `make check' to run any self-tests that come with the package. 4. Type `make install' to install the programs and any data files and documentation. 5. You can remove the program binaries and object files from the source code directory by typing `make clean'. To also remove the files that `configure' created (so you can compile the package for a different kind of computer), type `make distclean'. There is also a `make maintainer-clean' target, but that is intended mainly for the package's developers. If you use it, you may have to get all sorts of other programs in order to regenerate files that came with the distribution. Compilers and Options ===================== Some systems require unusual options for compilation or linking that the `configure' script does not know about. Run `./configure --help' for details on some of the pertinent environment variables. You can give `configure' initial values for configuration parameters by setting variables in the command line or in the environment. Here is an example: ./configure CC=c89 CFLAGS=-O2 LIBS=-lposix *Note Defining Variables::, for more details. Compiling For Multiple Architectures ==================================== You can compile the package for more than one kind of computer at the same time, by placing the object files for each architecture in their own directory. To do this, you must use a version of `make' that supports the `VPATH' variable, such as GNU `make'. `cd' to the directory where you want the object files and executables to go and run the `configure' script. `configure' automatically checks for the source code in the directory that `configure' is in and in `..'. If you have to use a `make' that does not support the `VPATH' variable, you have to compile the package for one architecture at a time in the source code directory. After you have installed the package for one architecture, use `make distclean' before reconfiguring for another architecture. Installation Names ================== By default, `make install' will install the package's files in `/usr/local/bin', `/usr/local/man', etc. You can specify an installation prefix other than `/usr/local' by giving `configure' the option `--prefix=PATH'. You can specify separate installation prefixes for architecture-specific files and architecture-independent files. If you give `configure' the option `--exec-prefix=PATH', the package will use PATH as the prefix for installing programs and libraries. Documentation and other data files will still use the regular prefix. In addition, if you use an unusual directory layout you can give options like `--bindir=PATH' to specify different values for particular kinds of files. Run `configure --help' for a list of the directories you can set and what kinds of files go in them. If the package supports it, you can cause programs to be installed with an extra prefix or suffix on their names by giving `configure' the option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. Optional Features ================= Some packages pay attention to `--enable-FEATURE' options to `configure', where FEATURE indicates an optional part of the package. They may also pay attention to `--with-PACKAGE' options, where PACKAGE is something like `gnu-as' or `x' (for the X Window System). The `README' should mention any `--enable-' and `--with-' options that the package recognizes. For packages that use the X Window System, `configure' can usually find the X include and library files automatically, but if it doesn't, you can use the `configure' options `--x-includes=DIR' and `--x-libraries=DIR' to specify their locations. Specifying the System Type ========================== There may be some features `configure' cannot figure out automatically, but needs to determine by the type of machine the package will run on. Usually, assuming the package is built to be run on the _same_ architectures, `configure' can figure that out, but if it prints a message saying it cannot guess the machine type, give it the `--build=TYPE' option. TYPE can either be a short name for the system type, such as `sun4', or a canonical name which has the form: CPU-COMPANY-SYSTEM where SYSTEM can have one of these forms: OS KERNEL-OS See the file `config.sub' for the possible values of each field. If `config.sub' isn't included in this package, then this package doesn't need to know the machine type. If you are _building_ compiler tools for cross-compiling, you should use the `--target=TYPE' option to select the type of system they will produce code for. If you want to _use_ a cross compiler, that generates code for a platform different from the build platform, you should specify the "host" platform (i.e., that on which the generated programs will eventually be run) with `--host=TYPE'. Sharing Defaults ================ If you want to set default values for `configure' scripts to share, you can create a site shell script called `config.site' that gives default values for variables like `CC', `cache_file', and `prefix'. `configure' looks for `PREFIX/share/config.site' if it exists, then `PREFIX/etc/config.site' if it exists. Or, you can set the `CONFIG_SITE' environment variable to the location of the site script. A warning: not all `configure' scripts look for a site script. Defining Variables ================== Variables not defined in a site shell script can be set in the environment passed to `configure'. However, some packages may run configure again during the build, and the customized values of these variables may be lost. In order to avoid this problem, you should set them in the `configure' command line, using `VAR=value'. For example: ./configure CC=/usr/local2/bin/gcc will cause the specified gcc to be used as the C compiler (unless it is overridden in the site shell script). `configure' Invocation ====================== `configure' recognizes the following options to control how it operates. `--help' `-h' Print a summary of the options to `configure', and exit. `--version' `-V' Print the version of Autoconf used to generate the `configure' script, and exit. `--cache-file=FILE' Enable the cache: use and save the results of the tests in FILE, traditionally `config.cache'. FILE defaults to `/dev/null' to disable caching. `--config-cache' `-C' Alias for `--cache-file=config.cache'. `--quiet' `--silent' `-q' Do not print messages saying which checks are being made. To suppress all normal output, redirect it to `/dev/null' (any error messages will still be shown). `--srcdir=DIR' Look for the package's source code in directory DIR. Usually `configure' can determine that directory automatically. `configure' also accepts some other, not widely useful, options. Run `configure --help' for more details.