It's not to reinvent the wheel, it's basically so I can give my game server admins the password to an account with sudo priviledges, but at least have some way to track if they do things to the system at large.
Originally Posted by scorp123
It would "replace" sudo in the user's shell using an alias, but that's one of the reasons I didn't want to use "sudo" within the command itself. However, I was also thinking I could eliminate the alias at the start of the script and replace it at the end, however I don't know if I need to do that.
Also, writing to the files is about 5 lines, and the file they're writing to is owned by root and has 700 permissions.
I'm going to give some of amingv's tips a shot, and see how it goes.
EDIT: I also forgot to mention, that I don't want to just add the commands to sudoers because I need this to be very portable and deployable at a moment's notice with many different possible situations. Always adding the dozens of commands I may need will take forever.
EDIT 2: I've got the script working perfectly, except for what I ask in the next post! Here it is, if anyone is curious. I have the file as /sbin/sudoauth.sh and the user in question has an alias for sudo='/sbin/sudoauth.sh'.
# This script replaces the standard "sudo" command on the public LanNET servers.
# It requests the full name of the user requesting the authorization, as well
# as who gave them permission to make this modification. The entered data,
# along with a record of who is logged in at the time and from where, is
# stored in a root-viewable text file at /var/lannet/sudoauth.log
# This script is hereby released under the GNU GPL v3. For details of the license,
# please see http://www.gnu.org/licenses/gpl
# Exits the script when the Ctrl+C interrupt is called
# MAIN SCRIPT
# Start: Trap Ctrl+C and display the warning message
trap exit_script 2
dialog --title "NOTICE! PLEASE READ BEFORE CONTINUING" --backtitle "LanNET 'sudo' Policy" --msgbox "Modification of this server requires express permission from a LanNET administrator. FAILURE TO OBTAIN THIS PERMISSION BEFORE MAKING ANY CHANGES TO THIS MACHINE, OR MAKING ANY MALICIOUS CHANGES TO THIS MACHINE, WILL BE PUNISHABLE BY EXPULSION FROM THE EVENT WITHOUT REFUND. ALL LOGIN AND SUDO ATTEMPS TO THIS MACHINE ARE LOGGED. If you wish to continue, press \"OK\"." 13 50
# Clear the screen and ask for the username
echo "Please enter your full name as shown on your ID:"
# Get the first input, which is the name of the person making the change
# Clear the screen again and ask for the administrator
echo "Please enter the name of the authorizing administrator:"
# Get the second input, which is the name of the authorizing administrator
# Temporarially get rid of the 'sudo' alias to this script so it won't call itself
# Ask for the sudo password and clear the screen
sudo false # This command does absolutely nothing except ask for the sudo password here, instead of later
# Log the information to /var/lannet/sudoauth.log, root viewable only
echo '------------------------' | sudo tee -a /var/lannet/sudoauth.log
echo 'LOGGED ATTEMPT AT SUDO' | sudo tee -a /var/lannet/sudoauth.log
echo 'User: ' `whoami` | sudo tee -a /var/lannet/sudoauth.log
echo 'Participant: ' $AUTHUSER | sudo tee -a /var/lannet/sudoauth.log
echo 'Authorization: ' $AUTHADMIN | sudo tee -a /var/lannet/sudoauth.log
echo '"who" data: ' `who --ips` | sudo tee -a /var/lannet/sudoauth.log
echo "" | sudo tee -a /var/lannet/sudoauth.log
echo "Authorization successful. Command executing."
# Double-check/reset permissions of that log file, so that only root can see it
sudo chown root:root /var/lannet/sudoauth.log
sudo chmod 700 /var/lannet/sudoauth.log
# Execute the command
# Reenable the 'sudo' alias and exit