[sudo-workers] sudo 1.9.0b5 released
Todd C. Miller
Todd.Miller at sudo.ws
Sun Mar 29 12:51:49 MDT 2020
The fifth beta version of sudo 1.9.0 is now available. I expect
to have the first release candidate ready in a few days.
This version of sudo contains some major changes which is reflected
by the change from version 1.8.x to 1.9.x. The biggest changes in
sudo 1.9.0 are support for centralized I/O logging and sudo plugins
written in Python. Peter Czanik has written several blog posts on
the new sudo features which you can view at https://blog.sudo.ws/.
Source:
https://www.sudo.ws/dist/beta/sudo-1.9.0b5.tar.gz
ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.9.0b5.tar.gz
SHA256 checksum:
9592daeb516306f0bae6746445612dc49786ef1d9d74b6ce3c0eda2c46bd18f6
MD5 checksum:
2fac1644b09fb9559b5e7d2a16bc78e8
Binary packages:
https://www.sudo.ws/dist/beta/packages/index.html#binary
For a list of download mirror sites, see:
https://www.sudo.ws/download_mirrors.html
Sudo web site:
https://www.sudo.ws/
Sudo web site mirrors:
https://www.sudo.ws/mirrors.html
Major changes between sudo 1.9.0b4 and 1.9.0b5:
* Sudo once again ignores a failure to restore the RLIMIT_CORE
resource limit, as it did prior to version 1.8.29. Linux
containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY
if we set the limit to zero, even for root, which resulted in a
warning from sudo.
* In sudo_logsrvd, disable server-side validation of the server
certificate if the OpenSSL version is too old to have functions
such as SSL_CTX_get0_certificate(). This allows sudo_logsrvd
to build on Solaris 11.3 with the system version of OpenSSL.
* The sudoers plugin and sudo_logsrvd now write an extended I/O
log info file in JSON format. This will make it easier to add
extra logging data in the future.
* The sudoreplay utility will now read the extended I/O log info
file if it exists. This allows matching based on the host name
in list mode. The list output now also includes the host name
if one is present in the log file.
* sudo_logsrvd now stores a pid file in the sudo run directory.
* sudo_logsrvd now exits with an error if it cannot bind to any
of the specified listen sockets.
* The sudo binary packages now include a service script for
starting sudo_logsrvd.
* Updated translations from translationproject.org.
Major changes between sudo 1.9.0b3 and 1.9.0b4:
* It is now possible to use "Cmd_Alias" instead of "Cmnd_Alias"
in sudoers for people who find the former more natural.
* The new "pam_ruser" and "pam_rhost" sudoers settings can be used
to enable or disable setting the PAM remote user and/or host
values during PAM session setup.
* More than one SHA-2 digest may now be specified for a single
command. Multiple digests must be separated by a comma.
* It is now possible to specify a SHA-2 digest in conjunction with
the "ALL" reserved word in a command specification. This allows
one to give permission to run any command that matches the
specified digest, regardless of its path.
Major changes between sudo 1.9.0b2 and 1.9.0b3:
* Added the --disable-log-server and --disable-log-client configure
options. These can be used to optionally disable building
sudo_logsrvd and support for remote I/O logging in the sudoers
plugin respectively.
* "sudo -S" now overrides the SUDO_CONV_PREFER_TTY flag.
* Python plugin updates.
Major changes between sudo 1.9.0b1 and 1.9.0b2:
* Implemented support for "audit" plugins in sudo. An audit plugin
receives accept, reject and error messages and can be used to
implement custom logging that is independent of the underlying
security policy. Multiple audit plugins may be specified in
the sudo.conf file. A sample audit plugin is included that can
produce logs in JSON format.
* Implemented support for approval plugins in sudo. An approval
plugin is run only after the main security policy (such as
sudoers) accepts a command to be run. The approval policy may
perform additional checks, potentially interacting with the user.
Multiple approval plugins may be specified in the sudo.conf file.
Only if all approval plugins succeed will the command be allowed.
* Python bindings have been implemented for the audit and approval
plugins.
* Fixed a problem with the log server client where the TLS handshake
might fail but a short-lived command could still be run.
* The sudo_logsrvd daemon now supports logging in JSON format in
addition to traditional sudo-style logs.
Major changes between sudo 1.8.31 and 1.9.0b1:
* Sudo now includes a logging daemon, sudo_logsrvd, which can
be used to implement centralized logging of I/O logs. TLS
connections are supported when sudo is configured with the
"--enable-openssl" option. For more information, see the
sudo_logsrvd, sudo_logsrvd.conf and sudo_logsrv.proto manuals.
* The sudoers plugin can be configured to send logs to sudo_logsrvd.
See the "log_servers", "log_server_timeout" and "log_server_keepalive"
settings in the sudoers manual.
TLS connections are supported when sudo is configured with the
"--enable-openssl" option. TLS can be configured using the
"log_server_cabundle", "log_server_peer_cert", and "log_server_peer_key"
settings in the sudoers manual.
* The new sudo_sendlog utility can be used to test sudo_logsrvd
or send existing sudo I/O logs to a centralized server.
* It is now possible to write sudo plugins in Python when sudo is
configured with the --enable-python option. See the sudo_plugin_python
manual for details.
Sudo 1.9.0 comes with several Python example plugins that get
installed sudo's examples directory.
The sudo blog article "What's new in sudo 1.9: Python"
(https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/)
includes a simple tutorial on writing python plugins.
* Avoid checking the internal signal SIGLWP in strsig_test on
FreeBSD. This fixes a "make check" failure on FreeBSD.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://www.sudo.ws/pipermail/sudo-workers/attachments/20200329/7ebab8ed/attachment.bin>
More information about the sudo-workers
mailing list