Aliases: making your sudoers file manageable
The default sudoers file gives one group of users full control over your machine:
%wheel ALL=(ALL) ALL Once it is not just you and your best friend administering a machine, you will start to give more fine-grained privileges to administrators. All fields in the above configuration line can be replaced by a list of values. A list of user names, a list of host names, a list of commands, and so on.
... ➦Sudo 1.9: using the new approval API from Python
Version 1.9 of sudo introduced the approval plugin API, making it possible to have extra restrictions before executing a command. These only run after the policy plugin has succeeded, so you can effectively add additional layers of policy without replacing the policy plugin and sudoers. Multiple approval plugins may be defined, and all must succeed in order for the command to be executed.
In this blog you will find a simple Python script utilizing the approval API.
... ➦Sudo 1.9: using the new Audit API from Python
Version 1.9 of sudo introduced a new API to access audit information. This is not a user-visible feature. In other words, you cannot use it directly from the sudoers file. It is an API, meaning that you can access audit information from plugins, including ones written in Python. You can use it in many different ways, like sending events from sudo directly to Elasticsearch or LaaS when something interesting happens. You can also use it for debugging and print otherwise difficult to access information to the screen in whatever format you like.
... ➦Sudo 1.9: using the group plugin from Python
Using the sudo group plugin, you can connect sudo to external systems and approve commands based on non-UNIX groups. For example, Authentication Services by One Identity uses this solution. Starting with version sudo 1.9, you can also write group plugins in Python. You can use this to check databases or APIs if the admin trying to run a command is a member of a group. This way you can check, for example, if an admin is on duty.
... ➦Sudo 1.9: accessing terminal data from Python
Sudo 1.9 is now feature complete. One of the new features is Python support, meaning that you can easily extend sudo functionality using Python scripts. It supports the very same APIs as the regular C plugin API, only the language is different. One of the more interesting APIs is the IO logging API, which provides access to terminal data in real-time, both input and output. This way you can check if a sudo user is accessing data that he should not, or analyze the commands entered and terminate a session before a disaster occurs.
... ➦What's new in sudo 1.9: recording service
Version 1.9 of sudo is now feature complete: all major features are implemented. On the other hand, sudo 1.9 needs testing and a bit of polishing before it can be made generally available. This is where you can help. Testing is easy, as for most platforms the project provides ready-to-install packages. In this blog I will show you how to test the recording service.
For an overview of 1.9 features see What is coming up in sudo 1.
... ➦What's new in sudo 1.9: Python
One of the most interesting new features of the upcoming sudo version 1.9 is Python support. While version 1.8 introduced plugin support, Python support means that you can extend sudo using the same APIs but write plugins in Python instead of C. Version 1.9 is still under development but you are encouraged to test it and provide feedback about your experiences. From this blog, you can learn how to install ready to use beta quality packages from the sudo website, how to compile it yourself (on CentOS) and how to test Python support using a very simple example script.
... ➦What is coming up in sudo 1.9?
I guess it is not an overstatement to say that many interesting new features are coming to sudo in version 1.9. On the other hand, most sudo users are still only aware of its basic functionality. In this blog I would like to draw your attention to my Opensource.com article, which describes some lesser known features of sudo. Finally, I will point you to four upcoming conference talks about different aspects of sudo.
... ➦Which sudo users to insult - sudo configuration basics
This blog helps you to get started with configuring sudo and learn how to avoid the most common mistakes. But the title “getting started with sudo” sounds a lot less interesting :-) Based on responses to my talks, one of the most popular configuration option of sudo is insults. You should not think about anything serious here: just some funny messages when a user mistypes a password. But as some users find these messages inappropriate, these are now disabled by default, but can be enabled.
... ➦After talk Q&A
After I finish a talk on sudo at a conference, I usually receive quite a few questions. Many of the answers I gave earlier were already included in the latest version of my sudo talk. The following is a collection of questions and answers from different conferences.
How can I change the insults (the funny messages displayed when someone enters the wrong password) of sudo? Right now the insult messages are hard-coded.