What's new in Sudo 1.9
Sudo is used by millions of Linux/Unix users to run commands as root or another privileged user, but most people are not familiar with all Sudo can do. Come listen to Sudo Project Maintainer Todd Miller and Open Source Evangelist Peter Czanick talk about changes in the next major release of Sudo, version 1.9. We will highlight changes to the Sudo Plugin interface, showcase the new centralized session recording functionality, and provide a short tutorial on writing Sudo plugins in Python. Finally, we will discuss some of the lesser-known features of Sudo.
We will begin with a short introduction to sudo, its history and how it has changed over the years. Next we will discuss how Sudo 1.9 supports centralized session recording using the standard sudoers plugin and a new Sudo log server. This will include how to configure both the client and server, how data is secured in transit and a brief overview of the protocol itself. We will also demonstrate the log server in action by recording a session to a remote server and playing back the session afterward.
Todd first unveiled the plugin architecture of Sudo 1.8 at Scale9x. We will cover the Sudo Plugin API, how it has changed since its introduction, and talk about the two new plugin types in Sudo 1.9: audit and approval plugins. An audit plugin can be used to perform custom logging of accepted and rejected commands run via sudo. This is useful for when sudo’s standard syslog-based logging is insufficient as the plugin has access to much more detail about the user’s environment and the environment the command is run in. Approval plugins can be used to provide an extra layer of policy separate from the policy in the sudoers file. An approval plugin is only called when a command is allowed by sudoers and can be used to implement “just in time” authorization or custom policy restrictions not supported by sudoers. We will discuss the new plugin APIs and demonstrate how they can be used.
Starting with Sudo 1.9, it is possible to write plugins in Python instead of C, including the new audit and approval plugins. Here we will demonstrate how to write sudo plugins in Python for all four plugin types: policy, I/O logging, audit and approval.
Finally, we will discuss some of the lesser known feature of sudo such as matching commands based on SHA-2 digests, sudo’s debug subsystem and how to store sudoers in LDAP.