[sudo-users] Call for testing: sudo 1.9.0

Todd C. Miller Todd.Miller at sudo.ws
Tue Mar 31 19:52:34 MDT 2020

The fifth beta version of sudo 1.9.0 is now available.  I expect
to have the first release candidate ready by the end of the week.
It would be great to hear from other people trying out the new
features, especially the centralized I/O log support.

This version of sudo contains some major changes which is reflected
by the change from version 1.8.x to 1.9.x.  The biggest changes in
sudo 1.9.0 are support for centralized I/O logging and sudo plugins
written in Python.  Peter Czanik has written several blog posts on
the new sudo features which you can view at https://blog.sudo.ws/.


Binary packages:

What's new in Sudo 1.9.0

 * Fixed a test failure in the strsig_test regress test on FreeBSD.

 * Sudo now includes a logging daemon, sudo_logsrvd, which can be
   used to implement centralized logging of I/O logs.  TLS connections
   are supported when sudo is configured with the --enable-openssl
   option.  For more information, see the sudo_logsrvd, logsrvd.conf
   and sudo_logsrv.proto manuals as well as the log_servers setting
   in the sudoers manual.

   The --disable-log-server and --disable-log-client configure
   options can be used to disable building the I/O log server and/or
   remote I/O log support in the sudoers plugin.

 * The new sudo_sendlog utility can be used to test sudo_logsrvd
   or send existing sudo I/O logs to a centralized server.

 * It is now possible to write sudo plugins in Python 3 when sudo
   is configured with the --enable-python> option.  See the
   sudo_plugin_python.man.html manual for details.

   Sudo 1.9.0 comes with several Python example plugins that get
   installed sudo's examples directory.

   The sudo blog article "What's new in sudo 1.9: Python"
   includes a simple tutorial on writing python plugins.

 * Sudo now supports an "audit" plugin type.  An audit plugin
   receives accept, reject, exit and error messages and can be used
   to implement custom logging that is independent of the underlying
   security policy.   Multiple audit plugins may be specified in
   the sudo.conf file.  A sample audit plugin is included that
   writes logs in JSON format.

 * Sudo now supports an "approval" plugin type.  An approval plugin
   is run only after the main security policy (such as sudoers) accepts
   a command to be run.  The approval policy may perform additional
   checks, potentially interacting with the user.  Multiple approval
   plugins may be specified in the sudo.conf file.  Only if all
   approval plugins succeed will the command be allowed.

 * Sudo's -S command line option now causes the sudo conversation
   function to write to the standard output or standard error instead
   of the terminal device.

 * It is now possible to use "Cmd_Alias" instead of "Cmnd_Alias" for
   people who find the former more natural.

 * The new "pam_ruser" and "pam_rhost" sudoers settings can be used
   to enable or disable setting the PAM remote user and/or host
   values during PAM session setup.

 * More than one SHA-2 digest may now be specified for a single
   command.  Multiple digests must be separated by a comma.

 * It is now possible to specify a SHA-2 digest in conjunction with
   the "ALL" reserved word in a command specification.  This allows
   one to give permission to run any command that matches the
   specified digest, regardless of its path.

 * Sudo and sudo_logsrvd now create an extended I/O log info file
   in JSON format that contains additional infomation about the
   command that was run, such as the host name.  The sudoreplay
   utility uses this file in preference to the legacy log file.

 * The sudoreplay utility can now match on a host name in list mode.
   The list output also now includes the host name if one is present
   in the log file.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://www.sudo.ws/pipermail/sudo-users/attachments/20200331/9263c2b3/attachment.bin>

More information about the sudo-users mailing list