Ticket #240 (closed enhancement: fixed)

Opened 15 years ago

Last modified 15 years ago

notify users they're in a chroot on sudo/su

Reported by: geofft Owned by:
Priority: normal Milestone: Summer 2009 Deployment
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:


As I wrote to debathena@ on March 12,

We noticed on zephyr today that sudo has a lecture_file option that will cause it to print a custom message the first time you run sudo. I propose we use it to do something like

$ sudo aptitude install snes9x-x
Attention: You are on a Debathena cluster machine. Although you can use
sudo to become root, your access is restricted to a sandbox (chroot)
created when you logged in. If you install software or change
global settings, they will be reverted when you log out.

If you would like a permanent change to cluster machines, please
report a bug via the "sendbug" command.
Enter your Athena password below.

[sudo] password for geofft:

This would involve setting "Defaults lecture_file=(this warning) lecture=once" in /etc/sudoers.

Another option would be to do this with pam_echo in /etc/pam.d/sudo and /etc/pam.d/su. It has the advantage of also working for su, but making it warn you only once would be harder, so we'd probably have to say something shorter like "Warning: You are in a login sandbox. See  http://... for more information."

Another option would be for 'tellme root' to print the same warning to cover the 'su' case, although unless we change the root password nobody will notice...

After a brief discussion, we determined that sudo warns you once per session, rather than per account or whatever, so this has basically the right behavior.

I intend to go with the lecture_file approach soon, because it's an easy change, unless there's particular interest in having sudo and su use the same configuration. Comments on the wording?

Change History

comment:1 Changed 15 years ago by geofft

  • Status changed from new to development

I've written this up as r23787 sqq., and uploaded it to -development. Once I confirm that I did not break either su or sudo in the process, I'll move it to -proposed.

comment:2 Changed 15 years ago by geofft

  • Status changed from development to proposed

Tested on tyger, confirmed that it didn't break, made a cosmetic fix, and uploaded to -proposed as debathena-reactivate 1.19.1.

comment:3 Changed 15 years ago by broder

It would be nice if the lecture file had an extra newline at the beginning to separate it from the prompt above. Seems to work well other than that.

comment:4 Changed 15 years ago by geofft

  • Status changed from proposed to closed
  • Resolution set to fixed

I think this type of output traditionally doesn't have a newline at the top...

I've uploaded this to production. For the record, the method I chose was hacking PAM for the su case and using a lecture_file for sudo.

Note: See TracTickets for help on using tickets.