Hi. Is there any way to make sudo always prompt for a comment (requirement) before proceding with the actions?
You can write a script that will prompt you for the requirement, store the command and response in a log file, then execute the command. Try something like the sample below. This will not work as it is, but it should help you get started.
#!/bin/bash
now=$(date +%Y%m%d_%H%M)
logFile=/Some/path/to/file.log
clear
echo '
Enter the reason for executing the command with elevated privileges: '
read response
echo 'Executed the '${*}' at '${now}' with a reason of '${response}'.' > $logFile
sudo $*
Call the script something like "mysudo," mark it executable, and execute it by typing:
mysudo someCommand
Thanks. That would not prevent them from running sudo directly, however.
Then, make an alias or function as sudo, and write this definition into it.
And if somebody calls sudo, your function should be called and after required actions, call sudo using absolute path.
And again, if somebody calls the sudo with absolute path, you cannot catch !
The only way to prevent someone from calling sudo directly is to either remove their permissions or remove the file. Unless you want to have a new compiled executable written for your requirement, your best bet is to simply obscure the sudo function and use a script to call it if a user has entered a reason. You can have a script be executable and not readable.
Thegeek's suggestion to intercept the sudo call is a good one, although I'm not sure an alias will provide the consistency you want since users can simply redefine an alias. You can create a soft link (ln -s source/file destination/sudo) to your script and place the soft link in a location that is earlier in the search path than the sudo app.