#5 sudosh can't be used with not-root accounts

closed
nobody
None
5
2004-11-17
2004-10-28
vkhromov
No

I use sudosh 1.4.0 with Linux RedHat 9 and have the
following problem:

=========================
$ sudo sudosh
starting session for username,/dev/pts/5 (/bin/zsh)
(username-1098957153)
# exit
$ sudo -u operator sudosh
Password:
fopen(): /var/log/sudosh/username-script-1098957016
fopen: Permission denied
$ ls -lad /var/log/sudosh
drwxr-xr-x 2 root root 4096 Oct 27 20:43
/var/log/sudosh
=========================

I don't know how, but sudosh still should use 0755 (or
even 0700) for /var/log/sudosh, but must create files
using root account.
Otherwise (if sudosh will use account, specified in
"-u" option, for creating log files) user can delete
their log files. It's wrong.

Discussion

  • Franky Van Liedekerke

    Logged In: YES
    user_id=109671

    use "chattr +a" on /var/log/sudosh, and change the susosh
    sourcecode to append to the logfiles:

    thus, change these lines:
    if ((fscript = fopen (lscript, "w)) == NULL
    if ((fttime = fopen (lscript, "w)) == NULL
    if ((finput = fopen (lscript, "w)) == NULL

    to:
    if ((fscript = fopen (lscript, "w)) == NULL
    if ((fttime = fopen (lscript, "w)) == NULL
    if ((finput = fopen (lscript, "w)) == NULL

    after that, users can no longer delete the logfiles (only
    append to it, as it should)
    To rotate/delete the logfiles, you'll need a script that
    takes away the chattr attribute first ("chattr -a" on the
    directory and on the needed files) before you can delete them.

    Franky

     
  • Franky Van Liedekerke

    Logged In: YES
    user_id=109671

    of course the lines should become this (stupid copy/paste):

    if ((fscript = fopen (lscript, "a")) == NULL
    if ((fttime = fopen (lscript, "a")) == NULL
    if ((finput = fopen (lscript, "a")) == NULL

    Franky

     
  • vkhromov

    vkhromov - 2004-11-16

    Logged In: YES
    user_id=1148010

    Thank you for your solution.
    But IMHO it's only temporary hack. AFAIK chattr work only
    for ext[23].

    Also there is other bugs related to saving logs in
    /var/log/sudosh directory:
    http://sourceforge.net/tracker/?func=detail&aid=1056237&group_id=119536&atid=684354

    I think that sudosh should change log saving behaviour and
    use completly another way to save logs. Use intermediate
    log-saver daemon, for example.

     
  • Franky Van Liedekerke

    Logged In: YES
    user_id=109671

    that would be indeed the best solutoin (use syslog calls eg)
    but in the meantime you can use the hack, I use it here and
    nobody is complaining :-)

     
  • Anonymous - 2004-11-17
    • status: open --> closed
     

Log in to post a comment.