$Id: SUDOCONFIG,v 1.3 2003/06/23 00:41:48 hbo Exp $

Configuring Sudo for Use with Sudoscript

Configuring sudo to use sudoscript in its default mode, which means
enabling an audited root shell, is easy. Simply edit sudoers(5) to
allow the user to run sudoshell and/or ss. Something like the
following would do the trick:

fred  ALL=/usr/local/bin/sudoshell,/usr/local/bin/ss


This allow the user fred to run sudoshell and ss as root. (If you have
installed sudoscript on Linux, the paths will in /usr/bin instead of
/usr/local/bin.)

The user would invoke sudoshell merely by typing its name, sudoshell, or
its alias, ss.

Note that the ALL above refers to the systems fred is allowed to run
ss on.  If this sudoers file is shared among many systems, you may not
want to use ALL. See the man page for sudoers(5) for details.

Non-root Usage

Configuring sudo to enable sudoscript to run as a user other than root
is slightly more complicated. An example sudoers entry would look like
this:

ethel   ALL=(oracle) /usr/local/bin/ss -u oracle,/usr/local/bin/sudoshell -u oracle

This line would let ethel run ss as oracle. The audited shell would
have the identity of the oracle user. In the example, the "(oracle)"
tells sudo to invoke ss as the user oracle. The "-u oracle" tells ss
it is running in this mode too. Ethel would invoke ss like so: ss -u oracle

If you want to run sudoshell as a user other than root, a Unix group called 
'ssers' must be created. All ss users, and the users they will 
become using ss, must be in this group. In our case, an example /etc/group
entry might look like this:

ssers:x:92:oracle,ethel

The GID of 92 is just an example. The important things are the name 
of the group, and the group members.

After this group is added, the sudoscriptd daemon must be restarted to
ensure the permissions on /var/run/sudoscript are set with correct group
permissions.

User Environment

Sudoscript uses the script(1) command to log activity in the
shell. This means that the shell is actually executed by script(1),
not sudoshell or sudo.  There is therefore no way to get an effect
such as that produced by "su - oracle". That is, the shell will have
the user's original environment, and not that of the oracle user.
