After 9 years of the formation of the 1.8.x branch of sudo, the release of a new version was announced significant feature of the utility that is used to organize command execution on behalf of other users, the new version being "Sudo 1.9.0" and that also marks a new branch.
Sudo the most essential utility and used in Unix-like operating systems, like Linux, BSD, or Mac OS X, since as mentioned, this allows users to run programs with the security privileges of another user (usually the root user) safely, thus temporarily becoming superuser.
By default, the user must authenticate with their password when running sudo. Once the user has been authenticated and if the / etc / sudoers configuration file allows giving the user access to the required command, the system executes it.
There is the option to enable the NOPASSWD parameter in order to avoid entering the password dand user when executing the command. The / etc / sudoers configuration file specifies which users can execute which commands on behalf of which other users.
Since sudo is very strict with the format of this file and any errors could cause serious problems, there is the visudo utility; This option is used to check that the / etc / sudoers file is not being used from another session of the root user, thus avoiding multi-editing with possible file corruption.
Main news in Sudo 1.9.0
In this new version the work that was carried out andn provide the composition the background process «sudo_logsrvd«, this is designed for centralized registration of other systems. When building sudo with the option «–Enable-openssl«, The data is transmitted over an encrypted communication channel (TLS).
Register is configured using the log_servers option in sudoers and to disable support for the new log submission mechanism, the '–Disable-log-server"And" –disable-log-client ".
In addition, a new plugin type has been added «Audit», that sends messages about successful and unsuccessful calls, as well as about the errors that occur, as well as a new type of plugin that allows you to connect your own controllers to log in and that do not depend on the standard functionality. For example, a controller for writing records in JSON format is implemented in the form of a plugin.)
As well a new kind of plugins have been added «approval" than they are used to perform additional checks after a basic authorization check successful rule-based in sudoers. Multiple plugins of this type can be specified in the settings, but the confirmation of the operation is issued only when it is approved by all the plugins listed in the settings.
In sudo and sudo_logsrvd, an additional log file is created in JSON format, which reflects the information about all the parameters of the running commands, including the host name. This register is used by the utility sweatreplay, in which it is possible to filter commands by hostname.
The command line argument list passed through the environment variable sudo_command it is now truncated to 4096 characters.
Of the other changes that stand out from the ad:
- The sudo -S command now prints all requests to standard output or stderr, without accessing the terminal control device.
- To test the interaction with the server or send existing logs, the sudo_sendlog utility is proposed;
- Added the ability to develop sudo plugins in Python, which is enabled during compilation with the option «–Enable-python«.
- En sweats, instead of Cmnd_Aliases, Cmd_Aliases Now it is also valid.
- New settings added pam_ruser and pam_rhost to enable / disable setting the username and host settings when setting up a session via PAM.
- It is possible to specify more than one SHA-2 hash on a comma-separated command line. The SHA-2 hash can also be used in sudoers in conjunction with the "ALL" keyword to define commands that can only be executed when the hash matches.