[sudo-users] Fwd: sudo 1.9.8b4 released

Todd C. Miller Todd.Miller at sudo.ws
Thu Sep 2 12:53:37 MDT 2021 

[I'm forwarding this to sudo-users in case folks here would like
to try out intercept and log_subcmds before the 1.9l8 release.]

The fourth beta release of sudo 1.9.8 is now available.

In addition to bug fixes, sudo 1.9.8 adds a new "intercept" mode
that can be used to intercept the execve() system call in the command
run by sudo and do a policy check on sub-commands before they are
executed.  Intercept mode uses LD_PRELOAD to communicate with the
main sudo process to perform the sudoers check.  As such, there are
some limitations.  See the sudoers man page for details.

Sudo 1.9.8 also includes a new sudoers setting, log_subcmds, which
works like intercept mode but only logs the command that was run
and does not validate it against the sudoers file.

Source:
    https://www.sudo.ws/dist/beta/sudo-1.9.8b4.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.9.8b4.tar.gz

SHA256 checksum:
    10e95ae172dcbb43f2341b59f9a743920b99e28ba9c997c49819204a39e12036

MD5 checksum:
    b61a0d5c9c744669247e8e8d5848f2a9

Binary packages:
    https://www.sudo.ws/dist/beta/packages/index.html#binary

For a list of download mirror sites, see:
    https://www.sudo.ws/download_mirrors.html

Sudo web site:
    https://www.sudo.ws/

Sudo web site mirrors:
    https://www.sudo.ws/mirrors.html

Major changes between sudo 1.9.8b4 and 1.9.8b3:

 * The runcwd entry in the event log is now updated when the intercept
   or log_runcmds settings are enabled in sudoers.

 * Sudo is now built with the -fstack-clash-protection and
   -Wl,-z,noexecstack options by default if they are supported.

 * The random token shared between sudo and sudo_intercept.so
   has been increased to 128 bits and is now tranferred before the
   actual protocol begins.  Connections that don't start with the
   proper token are dropped immediately.

 * Fixed sudo's UUID generation and added a regression test.

 * SELinux RBAC cannot be used with the intercept or log_subcmds
   sudoers settings.  They are fundamentally incompatible and are
   now documented as such.

 * When configure is run with the --disable-intercept option, the
   intercept support code is no longer compiled.

Major changes between sudo 1.9.8b3 and 1.9.8b2:

 * The log_children sudoers setting has been renamed to log_subcmds.

 * The execv() function can now be intercepted as well as execve.

 * Rewrote the sudo_intercept.so <-> sudo interprocess communication.
   It now uses a localhost TCP socket instead of an inherited file
   descriptor.  Some shells close all open file descriptors greater
   than 2 when they start up which did not work with the old scheme.
   In the new scheme, the inherited file descriptor is only used
   to retrieve a shared secret and port number, after which is is
   closed.  The actual policy decision is made over a new TCP
   connection in the intercepted execve() call.

 * Fixed formatting for bound defaults with multiple entries in the
   binding. The entries in the binding were separated with " ,"
   instead of ", ".

 * Fixed logging of the command name for "log_children".  Previously,
   the parent process name was logged (though the logged argv was
   correct).

 * Updated translations from translationproject.org.

Major changes between sudo 1.9.8b2 and 1.9.8b1:

 * Sudo will no longer permit a set-user-ID or set-group-ID program
   to be run in intercept mode unless the new "intercept_allow_setid"
   sudoers setting is enabled.

 * The mksigname and mksiglist helper programs are now built with
   the host compiler, not the target compiler, when cross-compiling.
   Bug #989.

Major changes between sudo 1.9.8b1 and 1.9.7p2:

 * It is now possible to transparently intercepting sub-commands
   executed by the original command run via sudo.  Intercept support
   is implemented using LD_PRELOAD (or the equivalent supported by
   the system) and so has some limitations.  The two main limitations
   are that only dynamic executables are supported and only the
   execve() system call is currently intercepted.  Its main use
   case is to support restricting privileged shells run via sudo.

   To support this, there is a new "intercept" Defaults setting and
   an INTERCEPT command tag that can be used in sudoers.  For example:

    Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
    Defaults!SHELLS intercept

   would cause sudo to run the listed shells in intercept mode.
   This can also be set on a per-rule basis.  For example:

    Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
    chuck ALL = INTERCEPT: SHELLS

   would only apply intercept mode to user "chuck" when running one
   of the listed shells.

 * The new "log_children" sudoers setting can be used to log commands
   run in a privileged shell.  It uses the same mechanism as the
   intercept support described above and has the same limitations.

 * Support for logging sudo_logsrvd errors via syslog or to a file.
   Previously, most sudo_logsrvd errors were only visible in the
   debug log.

 * Better diagnostics when there is a TLS certificate validation error.

 * Using the "+=" or "-=" operators in a Defaults setting that takes
   a string, not a list, now produces a warning from sudo and a
   syntax error from inside visudo.

 * Fixed a bug where the "iolog_mode" setting in sudoers and sudo_logsrvd
   had no effect when creating I/O log parent directories if the I/O log
   file name ended with the string "XXXXXX".

 * Fixed a bug in the sudoers custom prompt code where the size
   parameter that was passed to the strlcpy() function was incorrect.
   No overflow was possible since the correct amount of memory was
   already pre-allocated.

More information about the sudo-users mailing list