[sudo-workers] sudo 1.9.8b1 released

Mon Aug 16 22:53:35 MDT 2021

Sounds very interesting. Maybe a good way to utilize AIX RBAC, or an example of how that could be done. 

In any case, congratulations on the coming release and my thanks for your continuing support and development. 

Michael 

Sent from my iPhone

> On 16 Aug 2021, at 23:54, Todd C. Miller <Todd.Miller at sudo.ws> wrote:
> 
> The first beta release of sudo 1.9.8 is now available.
> 
> In addition to bug fixes, sudo 1.9.8 adds a new "intercept" mode
> that can be used to intercept the execve() system call in the command
> run by sudo and do a policy check on sub-commands before they are
> executed.  Intercept mode uses LD_PRELOAD and a socket pair to
> communicate with the main sudo process to perform the sudoers check.
> As such, there are some limitations.  See the sudoers man page for
> details.
> 
> Sudo 1.9.8 also includes a new sudoers setting, log_children, which
> works like intercept mode but only logs the command that was run
> and does not validate it against the sudoers file.
> 
> Source:
>    https://www.sudo.ws/dist/beta/sudo-1.9.8b1.tar.gz
>    ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.9.8b1.tar.gz
> 
> SHA256 checksum:
>    f6f23e83afcc6c0c185cbc77cc258fba95eae4bc3828b7cb37ecd0e7065aa33a
> 
> MD5 checksum:
>    1c766f8f4b3e9df439d4b9c5dd74e509
> 
> Binary packages:
>    https://www.sudo.ws/dist/beta/packages/index.html#binary
> 
> For a list of download mirror sites, see:
>    https://www.sudo.ws/download_mirrors.html
> 
> Sudo web site:
>    https://www.sudo.ws/
> 
> Sudo web site mirrors:
>    https://www.sudo.ws/mirrors.html
> 
> Major changes between sudo 1.9.8b1 and 1.9.7p2:
> 
> * It is now possible to transparently intercepting sub-commands
>   executed by the original command run via sudo.  Intercept support
>   is implemented using LD_PRELOAD (or the equivalent supported by
>   the system) and so has some limitations.  The two main limitations
>   are that only dynamic executables are supported and only the
>   execve() system call is currently intercepted.  Its main use
>   case is to support restricting privileged shells run via sudo.
> 
>   To support this, there is a new "intercept" Defaults setting and
>   an INTERCEPT command tag that can be used in sudoers.  For example:
> 
>    Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
>    Defaults!SHELLS intercept
> 
>   would cause sudo to run the listed shells in intercept mode.
>   This can also be set on a per-rule basis.  For example:
> 
>    Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
>    chuck ALL = INTERCEPT: SHELLS
> 
>   would only apply intercept mode to user "chuck" when running one
>   of the listed shells.
> 
> * The new "log_children" sudoers setting can be used to log commands
>   run in a privileged shell.  It uses the same mechanism as the
>   intercept support described above and has the same limitations.
> 
> * Support for logging sudo_logsrvd errors via syslog or to a file.
>   Previously, most sudo_logsrvd errors were only visible in the
>   debug log.
> 
> * Better diagnostics when there is a TLS certificate validation error.
> 
> * Using the "+=" or "-=" operators in a Defaults setting that takes
>   a string, not a list, now produces a warning from sudo and a
>   syntax error from inside visudo.
> 
> * Fixed a bug where the "iolog_mode" setting in sudoers and sudo_logsrvd
>   had no effect when creating I/O log parent directories if the I/O log
>   file name ended with the string "XXXXXX".
> 
> * Fixed a bug in the sudoers custom prompt code where the size
>   parameter that was passed to the strlcpy() function was incorrect.
>   No overflow was possible since the correct amount of memory was
>   already pre-allocated.
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-workers