# $Id: README,v 1.3 2011/10/17 21:08:55 ksb Exp $
# $Source: /usr/msrc/usr/local/bin/sudop/RCS/README,v $

Wrap op with a script that makes it work (mostly) like sudo.  And also
isolates us from the security problems of sudo.

We want to present customers with an interface that behaves like sudo as
much as possible while still taking advantage of our existing op
infrastructure for configuration management and logging.


The sudop wapper script calls the sudomap op rule:
	sudomap	/usr/local/libexec/sudop/sudomap $1 ;
		uid=root
		dir=/usr/local/lib/op
		users=.*
Which figures out how to map the sudo syntax to op.  The sudomap rule uses
mk to look through all the op configuration files for the marker "Sudop" and
a submarker that's the full sudo-like path to an executable.  (Note that the
executable doesn't really have to exist.  The name is only used to find the
right op rule.)  Only the first mk rule that matches is executed.

It must return a single line on stdout consisting of 3 values seperated by
exclamation marks (!).  These are:
    1) The real op rule that sudop should execute in place of the sudo rule.
    2) The user the rule runs as.
    3) The full sudo syntax for the command with REs to describe parameters.

The first value is very important as it controls the behavior of sudop.  The
second two are only used with the "-l" switch to sudop when listing all
rules.

The inverse of thise (using sudo to run op setuid is explained in the
README in master source to op).

--
Alex and ksb, Feb 2007