id,summary,reporter,owner,description,type,status,priority,milestone,component,resolution,keywords,cc,fix_version,see_also 240,notify users they're in a chroot on sudo/su,geofft,,"As I wrote to debathena@ on March 12, > We noticed on zephyr today that sudo has a lecture_file option that will cause it to print a custom message the first time you run sudo. I propose we use it to do something like > {{{ $ sudo aptitude install snes9x-x Attention: You are on a Debathena cluster machine. Although you can use sudo to become root, your access is restricted to a sandbox (chroot) created when you logged in. If you install software or change global settings, they will be reverted when you log out. If you would like a permanent change to cluster machines, please report a bug via the ""sendbug"" command. Enter your Athena password below. [sudo] password for geofft: }}} > > This would involve setting ""{{{Defaults lecture_file=}}}(this warning){{{ lecture=once}}}"" in /etc/sudoers. > > Another option would be to do this with pam_echo in /etc/pam.d/sudo and /etc/pam.d/su. It has the advantage of also working for su, but making it warn you only once would be harder, so we'd probably have to say something shorter like ""Warning: You are in a login sandbox. See http://... for more information."" > > Another option would be for 'tellme root' to print the same warning to cover the 'su' case, although unless we change the root password nobody will notice... After a brief discussion, we determined that sudo warns you once per session, rather than per account or whatever, so this has basically the right behavior. I intend to go with the lecture_file approach soon, because it's an easy change, unless there's particular interest in having sudo and su use the same configuration. Comments on the wording?",enhancement,closed,normal,Summer 2009 Deployment,--,fixed,,,,