[sudo-users] monitoring subprocesses
Todd C. Miller
Todd.Miller at courtesan.com
Tue Oct 5 17:17:47 EDT 2004
I recently added a monitor mode to sudo where it can intercept the
execution of new programs, check sudoers to see if the program
should be allowed/denied and caused execution to fail if sudoers
denies it. In other words, even when you "sudo sh" sudo can still
check the commands you run (and log them).
Right now I only support OSes that have the systrace kernel facility
(see www.systrace.org) and it is known to work on OpenBSD and Linux
(as long as you have the systrace patches in your kernel).
The lack of support for this kind of thing has long been one of
sudo's chief deficiencies. I would like to add support for other
operating systems using whatever facilities they support (for
instance, Solaris's proc interface). It should also be possible
to support monitoring on OSes that only support ptrace, though there
are some relatively minor side effects when using that.
Since this kind of thing is highly OS-specific (and thus very time
consuming), I am asking the sudo community whether anyone works for
an orginazation that would be willing to financially support
developement of monitoring for specific OSes.
PS. The systrace monitoring support is in the sudo cvs repository
now (along with #include support for sudoers files). See
http://www.sudo.ws/sudo/anoncvs.html for details on how to
check out a copy of the cvs tree.
More information about the sudo-users