[sudo-workers] sudo 1.9.0b4 released

Thu Mar 12 19:28:36 MDT 2020

The fourth beta version of sudo 1.9.0 is now available.  This version
of sudo contains some major changes which is reflected by the change
from version 1.8.x to 1.9.x.

The biggest changes in sudo 1.9.0 are support for centralized I/O
logging and sudo plugins written in Python.  See below for more
details.

Source:
    https://www.sudo.ws/dist/beta/sudo-1.8.0b4.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.9.0b4.tar.gz

SHA256 checksum:
    4f85ac155eb048ec2cd8c6b9a5d5dec1aae2c5aac87fe93f574db98d6d3ef8de

MD5 checksum:
    e604fc8f3fc9c5e1c4745d9c47e99004

Binary packages:
    https://www.sudo.ws/dist/beta/packages/index.html#binary

For a list of download mirror sites, see:
    https://www.sudo.ws/download_mirrors.html

Sudo web site:
    https://www.sudo.ws/

Sudo web site mirrors:
    https://www.sudo.ws/mirrors.html

Major changes between sudo 1.9.0b3 and 1.9.0b4:

 * It is now possible to use "Cmd_Alias" instead of "Cmnd_Alias"
   in sudoers for people who find the former more natural.

 * The new "pam_ruser" and "pam_rhost" sudoers settings can be used
   to enable or disable setting the PAM remote user and/or host
   values during PAM session setup.

 * More than one SHA-2 digest may now be specified for a single
   command. Multiple digests must be separated by a comma.

 * It is now possible to specify a SHA-2 digest in conjunction with
   the "ALL" reserved word in a command specification. This allows
   one to give permission to run any command that matches the
   specified digest, regardless of its path.

Major changes between sudo 1.9.0b2 and 1.9.0b3:

 * Added the --disable-log-server and --disable-log-client configure
   options.  These can be used to optionally disable building
   sudo_logsrvd and support for remote I/O logging in the sudoers
   plugin respectively.

 * "sudo -S" now overrides the SUDO_CONV_PREFER_TTY flag.

 * Python plugin updates.

Major changes between sudo 1.9.0b1 and 1.9.0b2:

 * Implemented support for "audit" plugins in sudo.  An audit plugin
   receives accept, reject and error messages and can be used to
   implement custom logging that is independent of the underlying
   security policy.   Multiple audit plugins may be specified in
   the sudo.conf file.  A sample audit plugin is included that can
   produce logs in JSON format.

 * Implemented support for approval plugins in sudo.  An approval
   plugin is run only after the main security policy (such as
   sudoers) accepts a command to be run.  The approval policy may
   perform additional checks, potentially interacting with the user.
   Multiple approval plugins may be specified in the sudo.conf file.
   Only if all approval plugins succeed will the command be allowed.

 * Python bindings have been implemented for the audit and approval
   plugins.

 * Fixed a problem with the log server client where the TLS handshake
   might fail but a short-lived command could still be run.

 * The sudo_logsrvd daemon now supports logging in JSON format in
   addition to traditional sudo-style logs.

Major changes between sudo 1.8.31 and 1.9.0b1:

 * Sudo now includes a logging daemon, sudo_logsrvd, which can
   be used to implement centralized logging of I/O logs.  TLS
   connections are supported when sudo is configured with the
   "--enable-openssl" option.  For more information, see the
   sudo_logsrvd, sudo_logsrvd.conf and sudo_logsrv.proto manuals.

 * The sudoers plugin can be configured to send logs to sudo_logsrvd.
   See the "log_servers", "log_server_timeout" and "log_server_keepalive"
   settings in the sudoers manual.

   TLS connections are supported when sudo is configured with the
   "--enable-openssl" option.  TLS can be configured using the
   "log_server_cabundle", "log_server_peer_cert", and "log_server_peer_key"
   settings in the sudoers manual.

 * The new sudo_sendlog utility can be used to test sudo_logsrvd
   or send existing sudo I/O logs to a centralized server.

 * It is now possible to write sudo plugins in Python when sudo is
   configured with the --enable-python option.  See the sudo_plugin_python
   manual for details.

   Sudo 1.9.0 comes with several Python example plugins that get
   installed sudo's examples directory.

   The sudo blog article "What's new in sudo 1.9: Python"
   (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/)
   includes a simple tutorial on writing python plugins.

 * Avoid checking the internal signal SIGLWP in strsig_test on
   FreeBSD.  This fixes a "make check" failure on FreeBSD.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://www.sudo.ws/pipermail/sudo-workers/attachments/20200312/e32ea337/attachment.bin>