Software from Mutant Internet
PseudoPod - The Sudo Pseudo Shell
This program allows you to give audited root shell access to users.
If you have Sudo and you need to give shell access to normal users then you may want it to be logged. PseudoPod does this.
Why the stupid name?
While in development this software was known as PSH - or PseduoSHell. Unfortunately PSH is also the Perl Shell. After a brief search, and struggle a new name was found. Initially the concept of changing the name to carapace or exoskeleton was considered... But a quick check in a thesaurus and POD was presented as an alternate word for shell. I LIKE the idea of having my very own pseudopod, so the name was changed. PseudoPod, or PPod for short, is already available, but the last few bugs are being ironed out as you read this.
How it works
First you have to reconfigure Sudo to block access to all of the Shells listed in /etc/shells. Then you have to grant users access to PseudoPod instead of normal Shells. When the user wants a shell they simply run sudo ppod. PseudoPod checks the SHELL environment variable and ensures that it points to a shell listed in /etc/shells. If it does, it forks that shell and logs the input and output to a file. If the SHELL environment variable doesn't exist then it grabs the users shell from the password file and uses that.
Caveats
PseudoPod is not perfect. It is possible to escape from the auditing. But, given the choices this still gives you reasonable assurance. I have tried several commercial equivalents to Sudo with keystroke logging, and the same methods allow you to escape from the auditing. If you are that worried about your security then you probably shouldn't allow users to have root shells through sudo anyway.
Supported Platforms
PseudoPod has been written in C with the intention of being as compatible as possible. It requires various POSIX capabilities, and has been compiled under Linux, HP-UX and AIX. If you compile it on a different OS then please let me know. If you had to make changes in order to get it to compile on a different OS then it is even more important to me for you to let me know. If you are having trouble porting it, and can provide me with access to a development platform (C compiler, Man pages and a shell please) then please let me know. The biggest problem with porting PseudoPod so far has been issues with the way that pseudo tty devices work on different OSes.
Alternatives and Links
What commercial vendor would point you to alternatives? Well, some of these may fit your needs better than PseudoPod
Sudoscript - A Perl script (or two) that performs the same function as PseudoPod. Written by Howard Owen. While there read his rationale and his paper on Sudoscript.
Sudo - A way of dividing up Root privileges. You will need Sudo, or a similar utility for PseudoPod to make any sense.
PassGO UPM - A commercial program that performs similar functions to Sudo/PseudoPod. It's more expensive, but has a nice GUI configuration tool.
Symark PowerBroker - Another commercial program, based on UPM originally.
Downloads
You can download the source Here. The current version is 0.6. So far PseudoPod works on AIX, HP-UX and Linux.
Revision History
- 0.5 Initial Release, Works on AIX, Linux and HP-UX
- 0.6 Fixed a few minor bugs. It now correctly doesn't echo.
To Do / Known Issues
- Resizing the window causes PseudoPod to Crash
To Contact me about this software, please e-mail Software@mutant.net