ProHoster > Blog > internet news > sudo 1.9.0 release

sudo 1.9.0 release

9 years after the formation of the 1.8.x branch published new significant release of the utility sudo 1.9.0, used to organize the execution of commands on behalf of other users.

Key changes:

  • The composition included background process sudo_logsrvd, designed for centralized logging from other systems. When building sudo with the “--enable-openssl” option, data is transmitted over an encrypted communication channel (TLS). Configuring the sending of logs is done using the log_servers option in sudoers. To disable support for the new log sending mechanism, the “--disable-log-server” and “--disable-log-client” options have been added. To test interaction with the server or send existing logs, the sudo_sendlog utility is proposed;
  • Added by opportunity plugin development for sudo in Python, which is enabled when building with the “--enable-python” option;
  • A new type of plugin has been added - “audit”, to which messages about successful and unsuccessful calls, as well as errors that occur, are sent. A new type of plugin allows you to connect your own handlers for logging that do not depend on the standard functionality (for example, a handler for writing logs in JSON format is implemented in the form of a plugin);
  • Added a new plugin type, "approval", to perform additional checks after a successful basic rule-based permission check in sudoers. Several plugins of this type can be specified in the settings, but confirmation for the operation is issued only if it is approved by all plugins listed in the settings;
  • The "sudo -S" command now prints all requests to standard output or stderr, without accessing the terminal control device;
  • In sudoers, instead of Cmnd_Alias, specifying Cmd_Alias ​​is now also acceptable;
  • Added new pam_ruser and pam_rhost settings to enable/disable setting username and host values ​​when setting up a session via PAM;
  • Provides the ability to specify more than one SHA-2 hash on the comma-separated command line. The SHA-2 hash can also be used in sudoers in conjunction with the "ALL" keyword to define commands that can only be run if the hash matches;
  • sudo and sudo_logsrvd provide the creation of an additional log file in JSON format, reflecting information about all parameters of launched commands, including the host name. This log is used by the sudoreplay utility, which now has the ability to filter commands by host name;
  • The list of command line arguments passed through the SUDO_COMMAND environment variable is now truncated to 4096 characters.

Source: opennet.ru

Add a comment