[sudo-workers] sudo 1.9.0b2 released
Todd C. Miller
Todd.Miller at sudo.ws
Tue Feb 25 14:01:06 MST 2020
The second beta version of sudo 1.9.0 is now available. This version
of sudo contains some major changes which is reflected by the change
from version 1.8.x to 1.9.x.
The biggest changes in sudo 1.9.0 are support for centralized I/O
logging and sudo plugins written in Python. See below for more
details.
Source:
https://www.sudo.ws/dist/beta/sudo-1.8.0b2.tar.gz
ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.9.0b2.tar.gz
SHA256 checksum:
b5d9d4bd1e1a7e122a0fec1c568cbe56fd15f5916dd54045b2c5eb7e5edb0f06
MD5 checksum:
d012a15fbeca7fc9f60346b4fe5a8ebb
Binary packages:
https://www.sudo.ws/dist/beta/packages/index.html#binary
For a list of download mirror sites, see:
https://www.sudo.ws/download_mirrors.html
Sudo web site:
https://www.sudo.ws/
Sudo web site mirrors:
https://www.sudo.ws/mirrors.html
Major changes between sudo 1.9.0b1 and 1.9.0b2:
* Implemented support for "audit" plugins in sudo. An audit plugin
receives accept, reject and error messages and can be used to
implement custom logging that is independent of the underlying
security policy. Multiple audit plugins may be specified in
the sudo.conf file. A sample audit plugin is included that can
produce logs in JSON format.
* Implemented support for approval plugins in sudo. An approval
plugin is run only after the main security policy (such as
sudoers) accepts a command to be run. The approval policy may
perform additional checks, potentially interacting with the user.
Multiple approval plugins may be specified in the sudo.conf file.
Only if all approval plugins succeed will the command be allowed.
* Python bindings have been implemented for the audit and approval
plugins.
* Fixed a problem with the log server client where the TLS handshake
might fail but a short-lived command could still be run.
* The sudo_logsrvd daemon now supports logging in JSON format in
addition to traditional sudo-style logs.
Major changes between sudo 1.8.31 and 1.9.0b1:
* Sudo now includes a logging daemon, sudo_logsrvd, which can
be used to implement centralized logging of I/O logs. TLS
connections are supported when sudo is configured with the
"--enable-openssl" option. For more information, see the
sudo_logsrvd, sudo_logsrvd.conf and sudo_logsrv.proto manuals.
* The sudoers plugin can be configured to send logs to sudo_logsrvd.
See the "log_servers", "log_server_timeout" and "log_server_keepalive"
settings in the sudoers manual.
TLS connections are supported when sudo is configured with the
"--enable-openssl" option. TLS can be configured using the
"log_server_cabundle", "log_server_peer_cert", and "log_server_peer_key"
settings in the sudoers manual.
* The new sudo_sendlog utility can be used to test sudo_logsrvd
or send existing sudo I/O logs to a centralized server.
* It is now possible to write sudo plugins in Python when sudo is
configured with the --enable-python option. See the sudo_plugin_python
manual for details.
Sudo 1.9.0 comes with several Python example plugins that get
installed sudo's examples directory.
The sudo blog article "What's new in sudo 1.9: Python"
(https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/)
includes a simple tutorial on writing python plugins.
* Avoid checking the internal signal SIGLWP in strsig_test on
FreeBSD. This fixes a "make check" failure on FreeBSD.
More information about the sudo-workers
mailing list