From pbrezina at redhat.com Wed Apr 1 03:17:42 2020 From: pbrezina at redhat.com (=?UTF-8?Q?Pavel_B=c5=99ezina?=) Date: Wed, 1 Apr 2020 11:17:42 +0200 Subject: [sudo-workers] Kerberize sudo In-Reply-To: <4f62a370eecd48b9@sudo.ws> References: <6e7a9378-9347-788b-5763-4c3ae7c7b719@redhat.com> <4da241eb-5a4e-6754-6e72-5feb1a21b26e@redhat.com> <4f62a370eecd48b9@sudo.ws> Message-ID: <64df668d-b8b6-c517-5c2c-919f6696ddc9@redhat.com> On 4/1/20 3:53 AM, Todd C. Miller wrote: > Another way to implement this would be via the approval plugin API > introduced in sudo 1.9.0. > > - todd > Thank you, I will look into that. From Todd.Miller at sudo.ws Thu Apr 9 07:39:49 2020 From: Todd.Miller at sudo.ws (Todd C. Miller) Date: Thu, 09 Apr 2020 07:39:49 -0600 Subject: [sudo-workers] sudo 1.9.0rc1 released Message-ID: <4f6311f94777735b@sudo.ws> The first release candidate of sudo 1.9.0 is now available. I expect to have the final release ready next week. This version of sudo contains some major changes which is reflected by the change from version 1.8.x to 1.9.x. The biggest changes in sudo 1.9.0 are support for centralized I/O logging and sudo plugins written in Python. Peter Czanik has written several blog posts on the new sudo features which you can view at https://blog.sudo.ws/. Source: https://www.sudo.ws/dist/beta/sudo-1.9.0rc1.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.9.0rc1.tar.gz SHA256 checksum: c15080e785607b7a305eabbfb41a56e48d645a3dfababfb74ac87b8a7dc6759e MD5 checksum: eac034416a6da4bae5b2c4e185d79775 Binary packages: https://www.sudo.ws/dist/beta/packages/index.html#binary For a list of download mirror sites, see: https://www.sudo.ws/download_mirrors.html Sudo web site: https://www.sudo.ws/ Sudo web site mirrors: https://www.sudo.ws/mirrors.html Major changes between sudo 1.9.0b5 and 1.9.0rc1: * The sudo_logsrvd daemon and python plugin now have their own packages. Currently, the sudo-python package is only built for Linux. * For "sudo -i", if the target user's home directory does not exist, sudo will now warn about the problem but run the command in the current working directory. Previously, this was a fatal error. Debian bug #598519. * The command line arguments in the SUDO_COMMAND environment variable are now truncated at 4096 characters. This avoids an "Argument list too long" error when executing a command with a large number of arguments. Debian bug #596631. * Sudo now properly ends the PAM transaction when the user authenticates successfully but sudoers denies the command. Debian bug #669687. * The sudoers grammar in the manual now indicates that "sudoedit" requires one or more arguments. Debian bug #571621. * The sample sudo_logsrvd.conf file is now installed if one does not already exist. * The python plugin can now be built with Python 3.4. * Assorted sudo_logsrvd bug fixes. Major changes between sudo 1.9.0b4 and 1.9.0b5: * Sudo once again ignores a failure to restore the RLIMIT_CORE resource limit, as it did prior to version 1.8.29. Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY if we set the limit to zero, even for root, which resulted in a warning from sudo. * In sudo_logsrvd, disable server-side validation of the server certificate if the OpenSSL version is too old to have functions such as SSL_CTX_get0_certificate(). This allows sudo_logsrvd to build on Solaris 11.3 with the system version of OpenSSL. * The sudoers plugin and sudo_logsrvd now write an extended I/O log info file in JSON format. This will make it easier to add extra logging data in the future. * The sudoreplay utility will now read the extended I/O log info file if it exists. This allows matching based on the host name in list mode. The list output now also includes the host name if one is present in the log file. * sudo_logsrvd now stores a pid file in the sudo run directory. * sudo_logsrvd now exits with an error if it cannot bind to any of the specified listen sockets. * The sudo binary packages now include a service script for starting sudo_logsrvd. * Updated translations from translationproject.org. Major changes between sudo 1.9.0b3 and 1.9.0b4: * It is now possible to use "Cmd_Alias" instead of "Cmnd_Alias" in sudoers for people who find the former more natural. * The new "pam_ruser" and "pam_rhost" sudoers settings can be used to enable or disable setting the PAM remote user and/or host values during PAM session setup. * More than one SHA-2 digest may now be specified for a single command. Multiple digests must be separated by a comma. * It is now possible to specify a SHA-2 digest in conjunction with the "ALL" reserved word in a command specification. This allows one to give permission to run any command that matches the specified digest, regardless of its path. Major changes between sudo 1.9.0b2 and 1.9.0b3: * Added the --disable-log-server and --disable-log-client configure options. These can be used to optionally disable building sudo_logsrvd and support for remote I/O logging in the sudoers plugin respectively. * "sudo -S" now overrides the SUDO_CONV_PREFER_TTY flag. * Python plugin updates. Major changes between sudo 1.9.0b1 and 1.9.0b2: * Implemented support for "audit" plugins in sudo. An audit plugin receives accept, reject and error messages and can be used to implement custom logging that is independent of the underlying security policy. Multiple audit plugins may be specified in the sudo.conf file. A sample audit plugin is included that can produce logs in JSON format. * Implemented support for approval plugins in sudo. An approval plugin is run only after the main security policy (such as sudoers) accepts a command to be run. The approval policy may perform additional checks, potentially interacting with the user. Multiple approval plugins may be specified in the sudo.conf file. Only if all approval plugins succeed will the command be allowed. * Python bindings have been implemented for the audit and approval plugins. * Fixed a problem with the log server client where the TLS handshake might fail but a short-lived command could still be run. * The sudo_logsrvd daemon now supports logging in JSON format in addition to traditional sudo-style logs. Major changes between sudo 1.8.31 and 1.9.0b1: * Sudo now includes a logging daemon, sudo_logsrvd, which can be used to implement centralized logging of I/O logs. TLS connections are supported when sudo is configured with the "--enable-openssl" option. For more information, see the sudo_logsrvd, sudo_logsrvd.conf and sudo_logsrv.proto manuals. * The sudoers plugin can be configured to send logs to sudo_logsrvd. See the "log_servers", "log_server_timeout" and "log_server_keepalive" settings in the sudoers manual. TLS connections are supported when sudo is configured with the "--enable-openssl" option. TLS can be configured using the "log_server_cabundle", "log_server_peer_cert", and "log_server_peer_key" settings in the sudoers manual. * The new sudo_sendlog utility can be used to test sudo_logsrvd or send existing sudo I/O logs to a centralized server. * It is now possible to write sudo plugins in Python when sudo is configured with the --enable-python option. See the sudo_plugin_python manual for details. Sudo 1.9.0 comes with several Python example plugins that get installed sudo's examples directory. The sudo blog article "What's new in sudo 1.9: Python" (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/) includes a simple tutorial on writing python plugins. * Avoid checking the internal signal SIGLWP in strsig_test on FreeBSD. This fixes a "make check" failure on FreeBSD. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From Todd.Miller at sudo.ws Thu Apr 9 14:54:01 2020 From: Todd.Miller at sudo.ws (Todd C. Miller) Date: Thu, 09 Apr 2020 14:54:01 -0600 Subject: [sudo-workers] sudo 1.9.0rc2 released Message-ID: <4f6317594f75b26b@sudo.ws> The second release candidate of sudo 1.9.0 is now available. I expect to have the final release ready next week. This version of sudo contains some major changes which is reflected by the change from version 1.8.x to 1.9.x. The biggest changes in sudo 1.9.0 are support for centralized I/O logging and sudo plugins written in Python. Peter Czanik has written several blog posts on the new sudo features which you can view at https://blog.sudo.ws/. Source: https://www.sudo.ws/dist/beta/sudo-1.9.0rc2.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.9.0rc2.tar.gz SHA256 checksum: 9b21df2def88776be80d4815b231b9b208930f6b5b25e2e7ac9d0ff2d1c5158d MD5 checksum: d05d108f8f99abb6fff957942f5b9387 Binary packages: https://www.sudo.ws/dist/beta/packages/index.html#binary For a list of download mirror sites, see: https://www.sudo.ws/download_mirrors.html Sudo web site: https://www.sudo.ws/ Sudo web site mirrors: https://www.sudo.ws/mirrors.html Major changes between sudo 1.9.0rc1 and 1.9.0rc2: * The example Python plugins now work correctly with Python 3.4. Major changes between sudo 1.9.0b5 and 1.9.0rc1: * The sudo_logsrvd daemon and python plugin now have their own packages. Currently, the sudo-python package is only built for Linux. * For "sudo -i", if the target user's home directory does not exist, sudo will now warn about the problem but run the command in the current working directory. Previously, this was a fatal error. Debian bug #598519. * The command line arguments in the SUDO_COMMAND environment variable are now truncated at 4096 characters. This avoids an "Argument list too long" error when executing a command with a large number of arguments. Debian bug #596631. * Sudo now properly ends the PAM transaction when the user authenticates successfully but sudoers denies the command. Debian bug #669687. * The sudoers grammar in the manual now indicates that "sudoedit" requires one or more arguments. Debian bug #571621. * The sample sudo_logsrvd.conf file is now installed if one does not already exist. * The python plugin can now be built with Python 3.4. * Assorted sudo_logsrvd bug fixes. Major changes between sudo 1.9.0b4 and 1.9.0b5: * Sudo once again ignores a failure to restore the RLIMIT_CORE resource limit, as it did prior to version 1.8.29. Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY if we set the limit to zero, even for root, which resulted in a warning from sudo. * In sudo_logsrvd, disable server-side validation of the server certificate if the OpenSSL version is too old to have functions such as SSL_CTX_get0_certificate(). This allows sudo_logsrvd to build on Solaris 11.3 with the system version of OpenSSL. * The sudoers plugin and sudo_logsrvd now write an extended I/O log info file in JSON format. This will make it easier to add extra logging data in the future. * The sudoreplay utility will now read the extended I/O log info file if it exists. This allows matching based on the host name in list mode. The list output now also includes the host name if one is present in the log file. * sudo_logsrvd now stores a pid file in the sudo run directory. * sudo_logsrvd now exits with an error if it cannot bind to any of the specified listen sockets. * The sudo binary packages now include a service script for starting sudo_logsrvd. * Updated translations from translationproject.org. Major changes between sudo 1.9.0b3 and 1.9.0b4: * It is now possible to use "Cmd_Alias" instead of "Cmnd_Alias" in sudoers for people who find the former more natural. * The new "pam_ruser" and "pam_rhost" sudoers settings can be used to enable or disable setting the PAM remote user and/or host values during PAM session setup. * More than one SHA-2 digest may now be specified for a single command. Multiple digests must be separated by a comma. * It is now possible to specify a SHA-2 digest in conjunction with the "ALL" reserved word in a command specification. This allows one to give permission to run any command that matches the specified digest, regardless of its path. Major changes between sudo 1.9.0b2 and 1.9.0b3: * Added the --disable-log-server and --disable-log-client configure options. These can be used to optionally disable building sudo_logsrvd and support for remote I/O logging in the sudoers plugin respectively. * "sudo -S" now overrides the SUDO_CONV_PREFER_TTY flag. * Python plugin updates. Major changes between sudo 1.9.0b1 and 1.9.0b2: * Implemented support for "audit" plugins in sudo. An audit plugin receives accept, reject and error messages and can be used to implement custom logging that is independent of the underlying security policy. Multiple audit plugins may be specified in the sudo.conf file. A sample audit plugin is included that can produce logs in JSON format. * Implemented support for approval plugins in sudo. An approval plugin is run only after the main security policy (such as sudoers) accepts a command to be run. The approval policy may perform additional checks, potentially interacting with the user. Multiple approval plugins may be specified in the sudo.conf file. Only if all approval plugins succeed will the command be allowed. * Python bindings have been implemented for the audit and approval plugins. * Fixed a problem with the log server client where the TLS handshake might fail but a short-lived command could still be run. * The sudo_logsrvd daemon now supports logging in JSON format in addition to traditional sudo-style logs. Major changes between sudo 1.8.31 and 1.9.0b1: * Sudo now includes a logging daemon, sudo_logsrvd, which can be used to implement centralized logging of I/O logs. TLS connections are supported when sudo is configured with the "--enable-openssl" option. For more information, see the sudo_logsrvd, sudo_logsrvd.conf and sudo_logsrv.proto manuals. * The sudoers plugin can be configured to send logs to sudo_logsrvd. See the "log_servers", "log_server_timeout" and "log_server_keepalive" settings in the sudoers manual. TLS connections are supported when sudo is configured with the "--enable-openssl" option. TLS can be configured using the "log_server_cabundle", "log_server_peer_cert", and "log_server_peer_key" settings in the sudoers manual. * The new sudo_sendlog utility can be used to test sudo_logsrvd or send existing sudo I/O logs to a centralized server. * It is now possible to write sudo plugins in Python when sudo is configured with the --enable-python option. See the sudo_plugin_python manual for details. Sudo 1.9.0 comes with several Python example plugins that get installed sudo's examples directory. The sudo blog article "What's new in sudo 1.9: Python" (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/) includes a simple tutorial on writing python plugins. * Avoid checking the internal signal SIGLWP in strsig_test on FreeBSD. This fixes a "make check" failure on FreeBSD. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 801 bytes Desc: not available URL: