diff --git a/README b/README new file mode 100644 index 0000000..9b9e035 --- /dev/null +++ b/README @@ -0,0 +1,120 @@ +Introduction: +============= + +rootsh is a wrapper for a shell which will make a copy of everything printed +on your terminal. Its main purpose is to give ordinary users a shell with +root privileges while keeping an eye on what they type. This is accomplished +by allowing them to execute rootsh via the sudo command. Unlike a simple +"sudo -s" which is the usual way doing this, "sudo rootsh" will send their +terminal keystrokes and output to a logfile and eventually to a remote +syslog server, where they are out of reach and safe from manipulation. + + +Motivation: +=========== + +Sometimes users need to perform tasks on a system which are too complex +to be expressed in sudo rules. Sometimes there is management pressure +to give a user a root shell. Sometimes you're just tired arguing with +users who insist in having root privileges. +With rootsh you can give your users access to a root shell while auditing +their actions. + + +Usage: +====== + +rootsh will be mainly used to give normal users the privilege of a +shell running under uid 0. This will mostly be accomplished by calling +it via the sudo command. +If, for example you have to grant user usr1234 local root privileges +on his workstation ws0001, you make an entry in your /etc/sudoers like this: + +usr1234 ws0001 = /bin/rootsh + +He will then have to type the following to become root: + +usr1234@ws0001:~> sudo rootsh +Password: +ws0001:~ # id +uid=0(root) gid=0(root) groups=0(root) +ws0001:~ # +ws0001:~ # exit +exit +usr1234@ws0001:~> + + +If you compiled rootsh with the default settings, the keystrokes and output +will be sent line by line to the syslog daemon using priority local5.info +To collect the output coming from running rootsh commands in a specific file +make an entry in your /etc/syslog.conf like this: + +local5.notice /var/log/rootshell + +or maybe like this: + +local5.notice @your_central_syslog_host + +Wherever you send your syslog data to, the resulting output will be +like this: + +Jul 2 17:44:19 ws0001 rootsh-020a: usr1234=root,/dev/pts/0: logging new rootsh session (rootsh-020a) to /var/log/rootsh/usr1234.20040702174419.020a +Jul 2 17:44:21 ws0001 rootsh-020a: 001: ws0001:~ # id +Jul 2 17:44:21 ws0001 rootsh-020a: 002: uid=0(root) gid=0(root) groups=0(root) +Jul 2 17:44:22 ws0001 rootsh-020a: 003: ws0001:~ # +Jul 2 17:46:03 ws0001 rootsh-020a: 004: ws0001:~ # exit +Jul 2 17:46:03 ws0001 rootsh-020a: 005: exit +Jul 2 17:46:03 ws0001 rootsh-020a: 006: *** rootsh session ended by user +Jul 2 17:46:03 ws0001 rootsh-020a: usr1234,/dev/pts/0: closing rootsh session (rootsh-020a) + +where the rootsh-020a is an identifier created from the program's name and +a 4 digit hex number which is the pid of the rootsh process. It will prepend +every line sent to syslog and will help you to find all the entries in +a logfile belonging to a specific session. +(first find the "logging new..." line for the session you're interested in, +take the identifier like rootsh-020a in the example and grep all occurences +of it from your logfile. If rootsh is running on many machines, there +may be collisions if two rootsh processes have the same pid. +Add the hostname to grep's pattern in this case. +You will also find the same output locally on the ws0001 host in a file +called like this .. +Depending on your operating system and configuration parameter --with-logdir= +these files can be found in /var/log/rootsh, /var/adm/rootsh or your own choice. +The counter after the session identifier can help you find holes if you +are not sure wether logging was incomplete (either due to manipulation +or network problems). +Finished session's logfiles get ".closed" appended to their names. This +helps you cleaning and archiving your logdir. +If the main process thinks, the logfile was manipulated during the session, +it tries to recreate the file and ".tampered" instead of ".closed" is attached. + +There is a parameter "-i", which tells rootsh to run the shell as a login shell. + +You can use the parameter -u if you want to run the shell as another non-root user. + +Better look at the manpage at http://people.consol.de/~lausser/rootsh/rootsh.html + + + +How it works: +============= + +rootsh works very much like the script utility. It forks and creates +a master/slave pseudo terminal pair. The slave pseudo terminal will +become the controlling terminal of the child process which will +execute a shell command. The parent process waits for input from the +user's terminal and sends it down the master pty. Every output including +the echoed input will be written to a logfile and to the syslog daemon. + + +Warning: +======== +There may be methods to escape the auditing. The abuser might then delete +his traces oder manipulate the logfiles. +With (per default) activated syslog logging you have at least a chance +to seek out suspicious traces of misbehaviour. + + +MAINTAINER: +luanjianhai@huawei.com + diff --git a/logrotate-rootsh.sh b/logrotate-rootsh.sh new file mode 100644 index 0000000..d4ed5be --- /dev/null +++ b/logrotate-rootsh.sh @@ -0,0 +1,75 @@ +#!/bin/bash +DEFAULT_PATH="/var/log/rootsh/" +MaxSize=0 +GSize=0 + +# Get Max Size in Configure File +function getmaxsize() { + size=`grep size /etc/logrotate.d/rootsh | head -1 | awk '{print $2}'` + + unit=${size: -1} + case $unit in + 'G' | 'g') + size=${size:0:-1} + size=$(($size*1024*1024)) + ;; + 'M' | 'm') + size=${size:0:-1} + size=$(($size*1024)) + ;; + 'K' | 'k') + size=${size:0:-1} + ;; + [[:digit:]]) + ;; + *) + size=102400 + ;; + esac + + MaxSize=$size +} + +function getsize() { + GSize=`du -d 1 $1 | awk '{print $1}'` +} + +function logrotate_dir() { + path=$1 + size=$2 + + getsize ${DEFAULT_PATH} + while [ $GSize -gt $size ]; do + + file=`ls -ltr ${DEFAULT_PATH} | awk '{if(NR>1){print $9}}' | head -1` + + # Do not delete the whole directory + if [ -n "$file" -a $file != "logrotate" ]; then + rm -rf ${DEFAULT_PATH}/$file + else + break + fi + + getsize ${DEFAULT_PATH} + done +} + +function lastaction() { + # Get Max Size in Configure File + getmaxsize + + # Rotate /var/log/rootsh/* + logrotate_dir ${DEFAULT_PATH} $MaxSize + + # Move rotated file to the monitor file + if [ -f "/var/log/rootsh/logrotate.1" ]; then + rm -f /var/log/rootsh/logrotate.1 + fi +} + +if [ $# -eq 1 ]; then + if [ $1 == "lastaction" ]; then + lastaction + fi +fi + diff --git a/rootsh-1.5.3-open-needs-3-args.patch b/rootsh-1.5.3-open-needs-3-args.patch new file mode 100644 index 0000000..63bf256 --- /dev/null +++ b/rootsh-1.5.3-open-needs-3-args.patch @@ -0,0 +1,12 @@ +diff -up rootsh-1.5.3/src/rootsh.c.BAD rootsh-1.5.3/src/rootsh.c +--- rootsh-1.5.3/src/rootsh.c.BAD 2008-05-14 16:38:30.000000000 -0400 ++++ rootsh-1.5.3/src/rootsh.c 2008-05-14 16:38:37.000000000 -0400 +@@ -680,7 +680,7 @@ int beginlogging(void) { + // Open the logfile + */ + if ((logFile = open(logFileName, O_RDWR|O_CREAT|O_SYNC|O_CREAT|O_APPEND| +- S_IRUSR|S_IWUSR)) == -1) { ++ S_IRUSR|S_IWUSR, 0777)) == -1) { + perror(logFileName); + return(0); + } diff --git a/rootsh-1.5.3.tar.gz b/rootsh-1.5.3.tar.gz new file mode 100644 index 0000000..86e2181 Binary files /dev/null and b/rootsh-1.5.3.tar.gz differ diff --git a/rootsh-1.5.3_change_permissions.patch b/rootsh-1.5.3_change_permissions.patch new file mode 100644 index 0000000..deb6ef5 --- /dev/null +++ b/rootsh-1.5.3_change_permissions.patch @@ -0,0 +1,13 @@ +diff -Nur rootsh-1.5.3.orig/src/rootsh.c rootsh-1.5.3/src/rootsh.c +--- rootsh-1.5.3.orig/src/rootsh.c 2017-11-11 19:18:16.638430603 +0800 ++++ rootsh-1.5.3/src/rootsh.c 2017-11-11 19:19:24.547425868 +0800 +@@ -680,7 +680,7 @@ + // Open the logfile + */ + if ((logFile = open(logFileName, O_RDWR|O_CREAT|O_SYNC|O_CREAT|O_APPEND| +- S_IRUSR|S_IWUSR, 0777)) == -1) { ++ S_IRUSR|S_IWUSR, 0666)) == -1) { + perror(logFileName); + return(0); + } + diff --git a/rootsh.logrotate b/rootsh.logrotate new file mode 100644 index 0000000..35e8e3f --- /dev/null +++ b/rootsh.logrotate @@ -0,0 +1,12 @@ +/var/log/rootsh/logrotate +{ + size 100M + daily + missingok + nocompress + lastaction + /bin/logrotate-rootsh.sh lastaction + endscript + create 0600 root root +} + diff --git a/rootsh.spec b/rootsh.spec new file mode 100644 index 0000000..9de294c --- /dev/null +++ b/rootsh.spec @@ -0,0 +1,75 @@ +Name: rootsh +Summary: Shell wrapper for auditing +Version: 1.5.3 +Release: 15 +License: GPLv3+ +Source0: http://download.sourceforge.net/rootsh/%{name}-%{version}.tar.gz +Source1: rootsh.logrotate +Source2: logrotate-rootsh.sh +Patch0: rootsh-1.5.3-open-needs-3-args.patch +Patch1: rootsh-1.5.3_change_permissions.patch +URL: http://sourceforge.net/projects/rootsh +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +%description +Rootsh is a wrapper for shells which logs all echoed keystrokes and +terminal output to a file and/or to syslog. Its main purpose is the +auditing of users who need a shell with root privileges. They start +rootsh through the sudo mechanism. + +%package_help + +%prep +%autosetup -n %{name}-%{version} -p1 + +%build +%configure +%make_build + +%install +rm -rf $RPM_BUILD_ROOT +%make_install +mkdir -p $RPM_BUILD_ROOT/var/log/rootsh +touch $RPM_BUILD_ROOT/var/log/rootsh/logrotate + +# Logrotate script +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d +install -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/rootsh +install -m 500 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/logrotate-rootsh.sh + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root) +%doc README AUTHORS ChangeLog THANKS INSTALL COPYING +%{_bindir}/rootsh +%attr(500,root,root) %{_bindir}/logrotate-rootsh.sh +%config(noreplace) %{_sysconfdir}/logrotate.d/rootsh +/var/log/rootsh/ + +%files help +%{_mandir}/man1/rootsh.1.gz + +%changelog +* Wed Feb 12 2020 openEuler Buildteam - 1.5.3-15 +- Package init + +* Wed Nov 29 2017 Jianhai Luan - 1.5.3-15.h6 +- Do not delete /var/log/rootsh/ and /varlog/rootsh/logrotate + +* Fri Nov 24 2017 Jiahai Luan - 1.5.3-14.h5 +- Modify the attribute of /bin/logrotate-rootsh.sh to 500 + +* Fri Nov 24 2017 Jiahai Luan - 1.5.3-14.h4 +- Rotate /var/log/rootsh/* and limit the size of directory + +* Fri Nov 24 2017 Jiahai Luan - 1.5.3-14.h3 +- Add rootsh.back to avoid endless loop compress in logrotate + +* Fri Nov 24 2017 Jiahai Luan - 1.5.3-14.h2 +- Change rootsh log to meet the security code of Huawei + +* Thu Nov 2 2017 Jianhai Luan - 1.5.3-14.h1 +- Add the logrotate configure file to limit log size +