sudo-users digest, Vol 1 #263 - 4 msgs
Maubert, Pierre
p-maubert at ti.com
Fri Dec 7 02:42:39 EST 2001
I have the same type of requirements on my site. The Sudo'd user wanted to
be warned when somebody does sudo su - john.
we wrote a little wrapper that send a message to the sudo'd user: It may
not address completly your need but it can be usefull.
--------------------------------------------------------------------------
#!/bin/ksh
#
# Ce script est un wrapper de sudo,il permet d'envoyer des mails aux gens
# dont on utilise de login avec sudo.
# Date: Sept 2001
# Auteur: Pierre Maubert.
SUDO_USER="$USER"
SUDOED=""
ARGS="$@"
SUDOPARAM="${ARGS##*-nomail}"
mele() {
# Construction du Mail
SUBJECT="WARNING: Your login $SUDOED, has been used by
$SUDO_USER(sudo $ARGS)"
TOLIST="$SUDOED"
#
MESSAGE="\n Date: `date` \n
Hostname: `hostname` \n \n
WARNING: Your login $SUDOED, has been used by $SUDO_USER with the
command \"$SUDOPARAM\" \n\n
REASON: $response\n"
#
echo $MESSAGE | mailx -s "$SUBJECT" "$TOLIST"
}
if [[ "$SUDOPARAM" = *su* ]]; then
/usr/bin/perl -e 'chomp; my($name) = (getpwnam('$USER'))[0];exit ($name eq
"");'
read response?"Please indicate what you want to do with sudo: "
j=0
for i in $SUDOPARAM
do
array[$j]=$i
j=`expr $j + 1`
done
case ${array[1]} in
"-" ) case $array[2] in
"" ) SUDOED="root" ;;
* ) SUDOED="${array[2]}" ;;
esac ;;
"" ) SUDOED="root" ;;
* ) SUDOED="${array[1]}" ;;
esac
#
# envoie du Mail
if [[ "$ARGS" != *-nomail* ]]; then
print "A warning message will be sent to "$SUDOED" \n \n"
mele
fi
fi
exec /tool/sudo/bin/sudo $SUDOPARAM
----------------------------------------------------------------------------
---------
_________________________
Pierre Maubert, System Administrator
Texas Instruments France
Tel: +33 (0)4 93 22 26 81
Fax: +33(0)4 92 02 46 69
Email: Pierre Maubert <mailto:p-maubert at ti.com>
_________________________________
-----Original Message-----
From: Dana Kaempen [mailto:decay at flash.net]
Sent: Friday, December 07, 2001 12:30 AM
To: sudo-users at courtesan.com
Subject: Re: sudo-users digest, Vol 1 #263 - 4 msgs
Todd C. Miller wrote:
> In recent versions of sudo you can do the following:
>
> Defaults logfile=/var/adm/sudo.log
> Defaults:john logfile=/usr/local/log/sudo.john
> Defaults:jane logfile=/usr/local/log/sudo.jane
Well, this does work as requested. Perfectly. But upon testing, it
became clear that I requested the wrong type of logging. I'm actually
interested in logging by the sudo'd user, not the sudoer. All the root
commands I still want logged to the default of /var/adm/sudo.log; but
for specific users that we sudo *into* I'd like to log to a different
file. We may have multiple people su'g into the same couple of users.
We want all the commands that su into a specific (non-root) user to end
up in a log file named for that specific user. I asked the wrong
question yesterday - sorry about that.
Examples:
User Command Desired logfile
==== ======= ===============
john sudo kill 9955 /var/adm/sudo.log
john sudo -u produser job1 /usr/local/log/produser
jane sudo -u tester job755 /usr/local/log/tester
jane sudo qadm -D PrdLJ4 /var/adm/sudo.log
Can this be done?
Thanks again,
Dana
--
..d..ecay
mailto:decay at flash.net
------------------------
"Keep the wheels rolling." - Anonymous traffic prophet
____________________________________________________________
sudo-users mailing list <sudo-users at courtesan.com>
For list information, options, or to unsubscribe, visit:
http://www.courtesan.com/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list