From Todd.Miller at courtesan.com  Sun Jan  6 09:05:34 2008
From: Todd.Miller at courtesan.com (Todd C. Miller)
Date: Sun, 06 Jan 2008 09:05:34 -0500
Subject: [sudo-workers] sudo 1.7b1 released
Message-ID: <200801061405.m06E5Yce006853@tex.courtesan.com>

This is the first beta version of sudo version 1.7.

Download links:
    http://www.sudo.ws/sudo/dist/beta/sudo-1.7b1.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7b1.tar.gz

What's new in Sudo 1.7?

 * Rewritten parser that converts sudoers into a set of data structures.
   This eliminates a number of ordering issues and makes it possible to
   apply sudoers Defaults entries before searching for the command.
   It also adds support for per-command Defaults specifications.

 * Sudoers now supports a #include facility to allow the inclusion of other
   sudoers-format files.

 * Sudo's -l (list) flag has been enhanced:
    o applicable Defaults options are now listed
    o a command argument can be specified for testing whether a user
      may run a specific command.
    o a new -U flag can be used in conjunction with "sudo -l" to allow
      root (or a user with "sudo ALL") list another user's privileges.

 *  A new -g flag has been added to allow the user to specify a
    primary group to run the command as.  The sudoers syntax has been
    extended to include a group section in the Runas specification.

 * A uid may now be used anywhere a username is valid.

 * The "secure_path" run-time Defaults option has been restored.

 * Password and group data is now cached for fast lookups.

 * The file descriptor at which sudo starts closing all open files is now
   configurable via sudoers and, optionally, the command line.

 * Visudo will now warn about aliases that are defined but not used.

 * The -i and -s command line flags now take an optional command
   to be run via the shell.  Previously, the argument was passed
   to the shell as a script to run.

 * Improved LDAP support.  SASL authentication may now be used in
   conjunction when connecting to an LDAP server.  The krb5_ccname
   parameter in ldap.conf may be used to enable Kerberos.

 * Support for /etc/nsswitch.conf.  LDAP users may now use nsswitch.conf
   to specify the sudoers order.  E.g.:

	sudoers: ldap files

   to check LDAP, then /etc/sudoers.  The default is <tt>files</tt>,
   even when LDAP support is compiled in.  This differs from sudo 1.6
   where LDAP was always consulted first.

 * Support for /etc/environment.  If sudo is run with the -i flag,
   the contents of /etc/environment are used to populate the new
   environment that is passed to the command being run.

 * Sudo now ignores user .ldaprc files as well as system LDAP defaults.
   All LDAP configuration is now in /etc/ldap.conf (or whichever
   file was specified by configure's --with-ldap-conf-file option).
   If you are using TLS, you may now need to specify:

	tls_checkpeer no

   in sudo's ldap.conf unless ldap.conf references a valid certificate
   authority file(s).

For full details see the ChangeLog file included with the release.


From Todd.Miller at courtesan.com  Mon Jan 21 10:45:05 2008
From: Todd.Miller at courtesan.com (Todd C. Miller)
Date: Mon, 21 Jan 2008 10:45:05 -0500
Subject: [sudo-workers] sudo 1.7b2 released
Message-ID: <200801211545.m0LFj5LH027426@tex.courtesan.com>

This is the second beta version of sudo version 1.7.  I'd love to
hear reports of success (or even failure!) in real-world environments.

Also, the support for authenticated LDAP connections using Kerberos
5 and SASL needs testing.

Download links:
    http://www.sudo.ws/sudo/dist/beta/sudo-1.7b2.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7b2.tar.gz

Changes from Sudo 1.7b1:

 * Fixed an alignment issue on Solaris.

 * Added a sudoers.ldap man page (still a work in progress).

 * Sync with Sudo 1.6.9p12

What's new in Sudo 1.7?

 * Rewritten parser that converts sudoers into a set of data structures.
   This eliminates a number of ordering issues and makes it possible to
   apply sudoers Defaults entries before searching for the command.
   It also adds support for per-command Defaults specifications.

 * Sudoers now supports a #include facility to allow the inclusion of other
   sudoers-format files.

 * Sudo's -l (list) flag has been enhanced:
    o applicable Defaults options are now listed
    o a command argument can be specified for testing whether a user
      may run a specific command.
    o a new -U flag can be used in conjunction with "sudo -l" to allow
      root (or a user with "sudo ALL") list another user's privileges.

 *  A new -g flag has been added to allow the user to specify a
    primary group to run the command as.  The sudoers syntax has been
    extended to include a group section in the Runas specification.

 * A uid may now be used anywhere a username is valid.

 * The "secure_path" run-time Defaults option has been restored.

 * Password and group data is now cached for fast lookups.

 * The file descriptor at which sudo starts closing all open files is now
   configurable via sudoers and, optionally, the command line.

 * Visudo will now warn about aliases that are defined but not used.

 * The -i and -s command line flags now take an optional command
   to be run via the shell.  Previously, the argument was passed
   to the shell as a script to run.

 * Improved LDAP support.  SASL authentication may now be used in
   conjunction when connecting to an LDAP server.  The krb5_ccname
   parameter in ldap.conf may be used to enable Kerberos.

 * Support for /etc/nsswitch.conf.  LDAP users may now use nsswitch.conf
   to specify the sudoers order.  E.g.:

	sudoers: ldap files

   to check LDAP, then /etc/sudoers.  The default is <tt>files</tt>,
   even when LDAP support is compiled in.  This differs from sudo 1.6
   where LDAP was always consulted first.

 * Support for /etc/environment.  If sudo is run with the -i flag,
   the contents of /etc/environment are used to populate the new
   environment that is passed to the command being run.

 * Sudo now ignores user .ldaprc files as well as system LDAP defaults.
   All LDAP configuration is now in /etc/ldap.conf (or whichever
   file was specified by configure's --with-ldap-conf-file option).
   If you are using TLS, you may now need to specify:

	tls_checkpeer no

   in sudo's ldap.conf unless ldap.conf references a valid certificate
   authority file(s).

For full details see the ChangeLog file included with the release.


From edward_newman at ml.com  Tue Jan 22 14:49:37 2008
From: edward_newman at ml.com (Newman, Edward (GTI))
Date: Tue, 22 Jan 2008 14:49:37 -0500
Subject: [sudo-workers] LDAP issue
Message-ID: <E5F741E838FC2043A0B843E481818138084D7934@MLNYC730MB.amrs.win.ml.com>

Been trying out 1.7b1 and had issue with LDAP. Appears that
/etc/ldap.conf is default to "'/etc/ldap.conf'" (note double quotes
around single quotes). This causes ldap.conf to be not found. Please
remove single quotes from pathnames.h. 

One additional comment - I find the LDAP display confusing compared to
file display. Is there anyway to show consolidated rights from file and
ldap in one view rather than two separate sections and align formatting?
This might require some significant changes based on current code paths.

However I do now have this working against Active Directory /
Application Mode and will start testing further. Any timeline for 1.7?

Edward
--------------------------------------------------------

This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.
--------------------------------------------------------


From Todd.Miller at courtesan.com  Tue Jan 22 17:01:17 2008
From: Todd.Miller at courtesan.com (Todd C. Miller)
Date: Tue, 22 Jan 2008 17:01:17 -0500
Subject: [sudo-workers] LDAP issue
In-Reply-To: Your message of "Tue, 22 Jan 2008 14:49:37 EST."
	<E5F741E838FC2043A0B843E481818138084D7934@MLNYC730MB.amrs.win.ml.com> 
References: <E5F741E838FC2043A0B843E481818138084D7934@MLNYC730MB.amrs.win.ml.com>
Message-ID: <200801222201.m0MM1Hs7014377@tex.courtesan.com>

In message <E5F741E838FC2043A0B843E481818138084D7934 at MLNYC730MB.amrs.win.ml.com
>
	so spake "Newman, Edward \(GTI\)" (edward_newman):

> Been trying out 1.7b1 and had issue with LDAP. Appears that
> /etc/ldap.conf is default to "'/etc/ldap.conf'" (note double quotes
> around single quotes). This causes ldap.conf to be not found. Please
> remove single quotes from pathnames.h. 

I'm not sure where the single quotes are coming from--I certainly
don't get them here.  I get just the double quotes whether I specify
--with-ldap-conf-file=/etc/sudo-ldap.conf or if I take the default
location.  What operating system are you seeing this behavior on?

> One additional comment - I find the LDAP display confusing compared to
> file display. Is there anyway to show consolidated rights from file and
> ldap in one view rather than two separate sections and align formatting?
> This might require some significant changes based on current code paths.

I agree that the very different display is sub-optimal.  It may be
possible to make the LDAP output appear more like the file-based
sudoers info, though I'm not sure what to do with the per-command
options.  I suppose they could be transformed into Defaults!command
type entries.  Merging the two may be as simple as breaking up the
listing stage so that Defaults options are printed at the same time.

> However I do now have this working against Active Directory /
> Application Mode and will start testing further. Any timeline for 1.7?

Was there any special configuration you had to do to use Active
Directory that should go in README.LDAP?

As for a timeline, it depends on the level of testing.  The more
things get tested, the more confident I will be ;-)

Thanks!

 - todd


From erh+sudo at nimenees.com  Tue Jan 22 16:52:25 2008
From: erh+sudo at nimenees.com (Eric Haszlakiewicz)
Date: Tue, 22 Jan 2008 15:52:25 -0600
Subject: [sudo-workers] LDAP issue
In-Reply-To: <E5F741E838FC2043A0B843E481818138084D7934@MLNYC730MB.amrs.win.ml.com>
References: <E5F741E838FC2043A0B843E481818138084D7934@MLNYC730MB.amrs.win.ml.com>
Message-ID: <20080122215225.GA1585@nimenees.com>

On Tue, Jan 22, 2008 at 02:49:37PM -0500, Newman, Edward (GTI) wrote:
> Been trying out 1.7b1 and had issue with LDAP. Appears that
> /etc/ldap.conf is default to "'/etc/ldap.conf'" (note double quotes
> around single quotes). This causes ldap.conf to be not found. Please
> remove single quotes from pathnames.h. 
>

hmm... does that mean that it actually ends up trying to open ./'/ldap.conf' 
 from whatever directory you happen to run it from?  Does being able to specify
your own ldap config file lead to a security breach?  If so, has this been
present long enough to warrant a security advisory?

eric


From edward_newman at ml.com  Tue Jan 22 17:11:14 2008
From: edward_newman at ml.com (Newman, Edward (GTI))
Date: Tue, 22 Jan 2008 17:11:14 -0500
Subject: [sudo-workers] LDAP issue
References: <E5F741E838FC2043A0B843E481818138084D7934@MLNYC730MB.amrs.win.ml.com>
	<200801222201.m0MM1Hs7014377@tex.courtesan.com>
Message-ID: <E5F741E838FC2043A0B843E481818138084D7950@MLNYC730MB.amrs.win.ml.com>

Getting this on Redhat 4 Update 5 when running configure under a Bourne
Shell. This is through using default option with configure script.

AD stuff required a different format schema. Will finish testing and
send you details. Also had to set anonymous access as haven't worked out
details of SASL integration.

Edward
--------------------------------------------------------

This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.
--------------------------------------------------------


From edward_newman at ml.com  Tue Jan 22 16:58:00 2008
From: edward_newman at ml.com (Newman, Edward (GTI))
Date: Tue, 22 Jan 2008 16:58:00 -0500
Subject: [sudo-workers] LDAP issue
References: <E5F741E838FC2043A0B843E481818138084D7934@MLNYC730MB.amrs.win.ml.com>
	<20080122215225.GA1585@nimenees.com>
Message-ID: <E5F741E838FC2043A0B843E481818138084D794C@MLNYC730MB.amrs.win.ml.com>

No. Just that the version build by default is looking for
'/etc/ldap.conf' (including quotes) and this appears to fail (can't find
conf file). If I remove quotes from pathnames.h (leaving double but not
single) then it works. Looks like a minor issue with configure script.

Edward


-----Original Message-----
From: Eric Haszlakiewicz [mailto:erh+sudo at nimenees.com] 
Sent: 22 January 2008 16:52
To: Newman, Edward (GTI)
Cc: sudo-workers at sudo.ws
Subject: Re: [sudo-workers] LDAP issue

On Tue, Jan 22, 2008 at 02:49:37PM -0500, Newman, Edward (GTI) wrote:
> Been trying out 1.7b1 and had issue with LDAP. Appears that
> /etc/ldap.conf is default to "'/etc/ldap.conf'" (note double quotes
> around single quotes). This causes ldap.conf to be not found. Please
> remove single quotes from pathnames.h. 
>

hmm... does that mean that it actually ends up trying to open
./'/ldap.conf' 
 from whatever directory you happen to run it from?  Does being able to
specify
your own ldap config file lead to a security breach?  If so, has this
been
present long enough to warrant a security advisory?

eric
--------------------------------------------------------

This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.
--------------------------------------------------------


From Todd.Miller at courtesan.com  Wed Jan 23 06:31:02 2008
From: Todd.Miller at courtesan.com (Todd C. Miller)
Date: Wed, 23 Jan 2008 06:31:02 -0500
Subject: [sudo-workers] LDAP issue
In-Reply-To: Your message of "Tue, 22 Jan 2008 17:11:14 EST."
	<E5F741E838FC2043A0B843E481818138084D7950@MLNYC730MB.amrs.win.ml.com> 
References: <E5F741E838FC2043A0B843E481818138084D7934@MLNYC730MB.amrs.win.ml.com>
	<200801222201.m0MM1Hs7014377@tex.courtesan.com>
	<E5F741E838FC2043A0B843E481818138084D7950@MLNYC730MB.amrs.win.ml.com>
Message-ID: <200801231131.m0NBV2c7025265@tex.courtesan.com>

In message <E5F741E838FC2043A0B843E481818138084D7950 at MLNYC730MB.amrs.win.ml.com
>
	so spake "Newman, Edward \(GTI\)" (edward_newman):

> Getting this on Redhat 4 Update 5 when running configure under a Bourne
> Shell. This is through using default option with configure script.

Please give this configure script a try:
    ftp://ftp.sudo.ws/pub/millert/sudo/configure

 - todd


From mekius_ at satus.net  Tue Jan 29 10:47:13 2008
From: mekius_ at satus.net (Nick Hughart)
Date: Tue, 29 Jan 2008 09:47:13 -0600
Subject: [sudo-workers] Sudo askpass
Message-ID: <479F4A81.4060905@satus.net>

I'm wondering if anyone has considered an askpass system like is 
available in ssh.  It would help to do two things:

1) Graphical Sudo programs could be replaced with the simple askpass 
programs.
2) Programmers can be more sure of a way to get root access executing 
commands as root as all they will have to do is exec sudo and it will 
determine how to get the password.

I'm not sure why this was never thought of.  I searched the archives and 
couldn't really find anything on this, so figured I'd bring it up.  This 
is really nice for integration purposes in a graphical environment.  
Right now an app has to assume a certain environment and use it's 
methods of achieving root access.  With this, sudo could be used in a 
way that allows any desktop to easily define it's sudo askpass program 
and it will instantly be integrated.  I think at this point in time, 
sudo has really become quite a standard package in most distributions.  
Ubuntu is even using it as the only method of gaining root access.

For reference, I maintain empower which is a graphical sudo and askpass 
program so this is something I'd be personally interested in seeing.

Any thoughts?