[sudo-workers] Official sudosh announcement

Doug Hanks dhanks at gmail.com
Tue Sep 21 00:11:40 EDT 2004

This is the official announcement of sudosh.


sudosh is used with sudo(8) to exec the user's shell specified in
/etc/passwd as root.  sudosh makes use of the built-in script(5)
command to log session data to syslog.

Companies that have a team of system administrators and a large number
of servers face a difficult problem:  root access.

The most common solution is to distribute the root password to the
system administrators and contain them in a wheel group.  With the
recent requirements of Sarbanes and Oxley this becomes quickly
impossible because the root password must be changed every 3 months.

The other option is to use sudo.  Sudo works great.  It's actually too
good.  This is why I created sudosh.  Sudo doesn't allow you to do
shell type things that system administrators are used to.  The
following example is a real command that is used during an AIX data

# lsdev -Cc disk | grep SSA | awk '{print $1}' | while read disk
> do
> rmdev -dl $disk
> done

This example is literally impossible to do with sudo unless you
experiment with shell escapes and figuring out the entry and exist
points of where sudo needs to exist within the command line.

sudosh is very simple in design.  sudosh comes in two parts: sudosh
and sudoshd.  sudosh is the program which you call from sudo:

$ sudo sudosh

In brief, sudosh creates a secure, temporary FIFO and calls the UNIX
command script(5) giving the FIFO as the argument.  sudosh then calls
sudoshd, which is a per instance daemon that reads the FIFO and logs
the output to syslog.  The important note is that sudosh doesn't
require a daemon running all the time.  sudoshd is called on a per
instance basis.  If 5 users are using sudosh, there will be 5
instances of sudoshd.  sudosh passes command line arguments to sudoshd
so sudoshd can keep track of information such as who is the user and
where is the FIFO.

sudosh supports concurrent users without a problem.  sudoshd comes
with utilities that allow you to preview sudosh sessions and also view
the detailed output of each session.

Feedback, contributions, flames and developers are welcome.

Thank you for reading this announcement,

- Doug Hanks = dhanks(at)gmail(dot)com

More information about the sudo-workers mailing list