From carl at carlcaum.com Wed Mar 4 10:44:38 2009 From: carl at carlcaum.com (Carl Caum) Date: Wed, 4 Mar 2009 09:44:38 -0600 Subject: [sudo-workers] #Include directive with wildcards Message-ID: Is there any way to use wildcards in the /etc/sudoers file with the new #include directive? I would like to be able to do something like this: ----/etc/sudoers #include /etc/sudoers.d/* ----end /etc/sudoers Then I could have my configuration management system (Puppet) manage all the individual files in /etc/sudoers.d/ and /etc/sudoers while watching for malicious changes. From Todd.Miller at courtesan.com Wed Mar 4 12:48:59 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 04 Mar 2009 12:48:59 -0500 Subject: [sudo-workers] #Include directive with wildcards In-Reply-To: Your message of "Wed, 04 Mar 2009 09:44:38 CST." References: Message-ID: <200903041749.n24HmxdG019615@core.courtesan.com> That's not supported at the moment. I am planning to add support for including directories in a future release. - todd From Todd.Miller at courtesan.com Sun Mar 8 19:06:12 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sun, 08 Mar 2009 19:06:12 -0400 Subject: [sudo-workers] Sudo 1.7.1b2 available Message-ID: <200903082306.n28N6CM2016110@core.courtesan.com> The second beta version (first public beta) of Sudo version 1.7.1 is now available. Download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.b2.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.b2.tar.gz Changes from Sudo 1.7.0: o Fixed a crash when sudoers has the wrong user/mode. o Fixed parsing of comments that start with a dash. o Added pwfeedback option to provide visual feedback when the user is entering a password. o Added fast_glob option to use fnmatch() for globbing. When this is enabled, sudo will not check the file system when expanding wild cards. This is faster but a side effect is that relative paths with wild card will no longer work. o Merged in BSM audit support from Christian S.J. Peron. o Fixed a bug in the included version of glob() that broken wild card matching on systems other than BSD and Linux. o Added %h escape (short form of hostname) to the #include directive. o The -k flag may not be specified along with a command, causing the user's timestamp file to be ignored. o Fixed a crash when a PAM module's session action prompts for user input. o Added support for Tivoli-based LDAP START_TLS as seen in AIX. o Sudo now replaces the putenv, setenv and unsetenv functions with its own that operate on its own copy of the environment. From Todd.Miller at courtesan.com Mon Mar 9 07:19:13 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 09 Mar 2009 07:19:13 -0400 Subject: [sudo-workers] Sudo 1.7.1b2 available In-Reply-To: Your message of "Sun, 08 Mar 2009 19:06:12 EDT." <200903082306.n28N6CM2016110@core.courtesan.com> References: <200903082306.n28N6CM2016110@core.courtesan.com> Message-ID: <200903091119.n29BJDj2004243@core.courtesan.com> Corrected download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.1b2.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.1b2.tar.gz From Todd.Miller at courtesan.com Thu Mar 12 10:05:14 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 12 Mar 2009 10:05:14 -0400 Subject: [sudo-workers] Sudo 1.7.1b3 available Message-ID: <200903121405.n2CE5EQT027393@core.courtesan.com> The third beta release of Sudo version 1.7.1 is now available. Download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.1.b3.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.1.b3.tar.gz Changes from Sudo 1.7.1b2: o Added support for /etc/netsvc.conf on AIX o Fixed a few K&R compilation issues. Changes from Sudo 1.7.0: o Fixed a crash when sudoers has the wrong user/mode. o Fixed parsing of comments that start with a dash. o Added pwfeedback option to provide visual feedback when the user is entering a password. o Added fast_glob option to use fnmatch() for globbing. When this is enabled, sudo will not check the file system when expanding wild cards. This is faster but a side effect is that relative paths with wild card will no longer work. o Merged in BSM audit support from Christian S.J. Peron. o Fixed a bug in the included version of glob() that broken wild card matching on systems other than BSD and Linux. o Added %h escape (short form of hostname) to the #include directive. o The -k flag may now be specified along with a command, causing the user's timestamp file to be ignored. o Fixed a crash when a PAM module's session action prompts for user input. o Added support for Tivoli-based LDAP START_TLS as seen in AIX. o Sudo now replaces the putenv, setenv and unsetenv functions with its own that operate on its own copy of the environment. From sudo-list at wisti.com Tue Mar 17 14:08:59 2009 From: sudo-list at wisti.com (Eric J. Wisti) Date: Tue, 17 Mar 2009 13:08:59 -0500 (CDT) Subject: [sudo-workers] Feature request Message-ID: I have worked on a number of PCI/SOX/GLBA audits and sudo is always a pain to report on. I think a reporting binary or a root only switches on sudo would be immensely helpful. I am currently trying to write perl code to parse sudoers and report on a class of users which have either (ALL) ALL or (root) ALL privs, along with a couple of other medium risk commands. It would be nice to be able to have a standard list of high, medium and low root equivalence and be able to report on them. Things like (ALL) ALL and bin/su - root would be in the high class, medium would be things with shell escapes, vi, less, low could be combination of chown and chmod. The base list could be built-in and have a section (or another config file) for additional commands to audit. Another nice to have, would be to test if a user has access to a command. sudo --check-user john 'su - root' or sudo --check-all 'su - root' to list all users (or groups) that have access to 'su - root'. These would use the same code that is used to evaluate user running sudo, except that it would use the requested user rather than the current user. Again, a root only switch. I guess the above could also be a type of right that could be assigned in sudoers as well. Comments? Eric Wisti From Todd.Miller at courtesan.com Tue Mar 17 14:14:40 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 17 Mar 2009 14:14:40 -0400 Subject: [sudo-workers] Feature request In-Reply-To: Your message of "Tue, 17 Mar 2009 13:08:59 CDT." References: Message-ID: <200903171814.n2HIEekq011773@core.courtesan.com> I've been considering some kind of reporting mode for sudo, but haven't thought too hard about the details. Starting with sudo 1.7.0 you can query whether what commands a user may run. For instance, "sudo -U username -l" will do the equivalent of "sudo -l" for user "username". You can also list individual commands, e.g. % sudo -l ls /bin/ls and by extension: # sudo -l -U username command - todd From sudo-list at wisti.com Tue Mar 17 14:49:25 2009 From: sudo-list at wisti.com (Eric J. Wisti) Date: Tue, 17 Mar 2009 13:49:25 -0500 (CDT) Subject: [sudo-workers] Feature request In-Reply-To: <200903171814.n2HIEekq011773@core.courtesan.com> References: <200903171814.n2HIEekq011773@core.courtesan.com> Message-ID: That helps (and I guess kind of covers the second half of me email, but not list all users with x), but my biggest area is the first part. "Who has root privs in full"? "Where are holes that should be changed to remove excess privs?" I would be glad to lend support for the design side of the updates for reporting. Not sure I'd be any help on the code side, though. ;) Eric Wisti From dhanks at gmail.com Tue Mar 17 21:22:34 2009 From: dhanks at gmail.com (Doug Hanks) Date: Tue, 17 Mar 2009 18:22:34 -0700 Subject: [sudo-workers] Feature request In-Reply-To: References: <200903171814.n2HIEekq011773@core.courtesan.com> Message-ID: <82a71f8a0903171822i1f7f70aarf3a14a12d8679793@mail.gmail.com> If i'm not mistaken ... grep /etc/sudoers 'ALL = (ALL) ALL' | awk '{ print $1 }' would print all of the users and groups that are allowed full access. Although this wouldn't be enough for a PCI audit. There could be include files, sub-permissions and potential other privileges that could be elevated. On Tue, Mar 17, 2009 at 11:49 AM, Eric J. Wisti wrote: > > That helps (and I guess kind of covers the second half of me email, but > not list all users with x), but my biggest area is the first part. > "Who has root privs in full"? "Where are holes that should be changed to > remove excess privs?" > > I would be glad to lend support for the design side of the updates for > reporting. Not sure I'd be any help on the code side, though. ;) > > Eric Wisti > ____________________________________________________________ > sudo-workers mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-workers > -- - Doug Hanks = dhanks(at)gmail(dot)com From sudo-list at wisti.com Tue Mar 17 23:52:40 2009 From: sudo-list at wisti.com (Eric J. Wisti) Date: Tue, 17 Mar 2009 22:52:40 -0500 (CDT) Subject: [sudo-workers] Feature request In-Reply-To: <82a71f8a0903171822i1f7f70aarf3a14a12d8679793@mail.gmail.com> References: <200903171814.n2HIEekq011773@core.courtesan.com> <82a71f8a0903171822i1f7f70aarf3a14a12d8679793@mail.gmail.com> Message-ID: What about "= (ALL) ^IALL" or other oddities that whitespace brings. I've been trying to emulate the parser for sudo and it seems that 80% of what I need is IN sudo now. I've looked for code via google and there isn't much out there. There are a number of people in my same situation. Seems like a tinker here and there and you'd have a great feature for sudo, since it's a key in many audit situations. Another thing, is user xyz permitted root privs? Using grep (or perl), you need to look for all groups with (ALL) ALL or su - root or su - (without a trailing pattern) or su (without a trailing pattern). Those are the few I can think of. Then, you need to go back and check for any groups, netgroups, ldap, etc and see if they are used. Then you can finally check to see if user xyz has x command. Since we are talking about a utility that permits root usage and audits need to know who has what, it seems like a big win and not too much coding (guess on my part). I'm a minimalist. I'd prefer to not rewrite the sudoers parser in perl.... ;) Eric > > If i'm not mistaken ... > > grep /etc/sudoers 'ALL = (ALL) ALL' | awk '{ print $1 }' > > would print all of the users and groups that are allowed full access. > Although this wouldn't be enough for a PCI audit. There could be include > files, sub-permissions and potential other privileges that could be > elevated. > From Todd.Miller at courtesan.com Thu Mar 19 16:42:20 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 19 Mar 2009 16:42:20 -0400 Subject: [sudo-workers] Sudo 1.7.1b4 available Message-ID: <200903192042.n2JKgK8s007019@core.courtesan.com> The fourth beta release of Sudo version 1.7.1 is now available. Download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.1b4.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.1b4.tar.gz Changes from Sudo 1.7.1b3: o Fixed an LDAP-related compilation problem when the ldap library supports ldap_sasl_interactive_bind_s() but no SASL headers exist. Changes from Sudo 1.7.1b2: o Added support for /etc/netsvc.conf on AIX o Fixed a few K&R compilation issues. Changes from Sudo 1.7.0: o Fixed a crash when sudoers has the wrong user/mode. o Fixed parsing of comments that start with a dash. o Added pwfeedback option to provide visual feedback when the user is entering a password. o Added fast_glob option to use fnmatch() for globbing. When this is enabled, sudo will not check the file system when expanding wild cards. This is faster but a side effect is that relative paths with wild card will no longer work. o Merged in BSM audit support from Christian S.J. Peron. o Fixed a bug in the included version of glob() that broken wild card matching on systems other than BSD and Linux. o Added %h escape (short form of hostname) to the #include directive. o The -k flag may now be specified along with a command, causing the user's timestamp file to be ignored. o Fixed a crash when a PAM module's session action prompts for user input. o Added support for Tivoli-based LDAP START_TLS as seen in AIX. o Sudo now replaces the putenv, setenv and unsetenv functions with its own that operate on its own copy of the environment. From Todd.Miller at courtesan.com Sun Mar 29 08:59:29 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sun, 29 Mar 2009 08:59:29 -0400 Subject: [sudo-workers] Sudo 1.7.1b5 available Message-ID: <200903291259.n2TCxTZc011697@core.courtesan.com> The fifth beta release of Sudo version 1.7.1 is now available. I plan to make the first release candicate of 1.7.1 in one week. Download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.1b5.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.1b5.tar.gz Changes from Sudo 1.7.1b4: o The unused alias checks in visudo now handle the case of an alias referring to another alias. Changes from Sudo 1.7.1b3: o Fixed an LDAP-related compilation problem when the ldap library supports ldap_sasl_interactive_bind_s() but no SASL headers exist. Changes from Sudo 1.7.1b2: o Added support for /etc/netsvc.conf on AIX o Fixed a few K&R compilation issues. Changes from Sudo 1.7.0: o Fixed a crash when sudoers has the wrong user/mode. o Fixed parsing of comments that start with a dash. o Added pwfeedback option to provide visual feedback when the user is entering a password. o Added fast_glob option to use fnmatch() for globbing. When this is enabled, sudo will not check the file system when expanding wild cards. This is faster but a side effect is that relative paths with wild card will no longer work. o Merged in BSM audit support from Christian S.J. Peron. o Fixed a bug in the included version of glob() that broken wild card matching on systems other than BSD and Linux. o Added %h escape (short form of hostname) to the #include directive. o The -k flag may now be specified along with a command, causing the user's timestamp file to be ignored. o Fixed a crash when a PAM module's session action prompts for user input. o Added support for Tivoli-based LDAP START_TLS as seen in AIX. o Sudo now replaces the putenv, setenv and unsetenv functions with its own that operate on its own copy of the environment.