Shulou(Shulou.com)06/01 Report--

This article will explain in detail what are the new sudo functions in linux. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

When you want to perform an operation on a POSIX system, one of the safest ways is to use the sudo command. Unlike root, which can be a dangerous operation to log in and execute commands, sudo grants temporary permissions to any user designated as "sudoer" by the system administrator to perform activities that are usually restricted.

For decades, this system helped protect Linux, Unix, and macOS systems from stupid errors and malicious attacks, and it is the default management mechanism for all major Linux distributions today.

When sudo 1.9 was released in May 2020, it introduced many new features, including centralized collection of session records, support for chroot within sudo, and Python API. If you are surprised by any of these, please read my article to learn about some of the little-known features of sudo.

Sudo is more than just a prefix for administrative commands. You can fine-tune permissions, record what happens on the terminal, use plug-ins to extend sudo, store configurations in LDAP, do extensive logging, and more.

Version 1.9.0 and subsequent minor versions have added a variety of new features (which I will describe below), including:

A recording service that centrally collects sudo session records

Audit plug-in API

Approval plug-in API

Python support for plug-ins

Sudo built-in chroot and CWD support (since 1.9.3)

Where can I get sudo 1.9?

Most Linux distributions still package the previous generation of sudo (version 1.8) and will maintain this version for several years in long-term supported (LTS) distributions. As far as I know, the Linux distribution that provides the most complete sudo 1.9 package is openSUSETumbleweed, which is a rolling distribution and has Python support in the subpackage of the sudo package. The most recent version of Fedora includes sudo 1.9, but does not support Python. FreeBSD Ports has the latest version of sudo, and if you compile sudo yourself instead of using software packages, you can enable Python support.

If your favorite Linux distribution does not already include sudo 1.9, check the sudo binary page to see if there are ready-made packages available for your system. Some commercial Unix variants are also available on this page.

As usual, before you start experimenting with sudo settings, make sure you know the root password. Yes, even on Ubuntu. It's important to have a temporary "back door"; without it, if something goes wrong, you have to hack your system. Remember: a grammatically correct configuration does not mean that everyone can do anything on the system through sudo!

Recording service

The recording service can collect session records centrally. This has many advantages over the local session record store:

It is easier to search in one place than to visit each machine to find records

It can be recorded even when the sending machine is down.

Local users cannot delete records if they want to cover up their tracks

For quick testing, you can send a session to the recording service over an unencrypted connection. My blog contains instructions that can be set up in a few minutes. For production environments, I recommend using encrypted connections. There are many possibilities, so please read the documentation that best suits your environment.

Audit plug-in API

The new audit plug-in API is not a user-visible feature. In other words, you cannot configure it from the sudoers file. It is an API, which means that you can access audit information from plug-ins, including plug-ins written in Python. You can use it in many different ways, such as sending events directly from sudo to Elasticsearch or log as a service (LaaS) when something interesting happens. You can also use it to debug and print other inaccessible information to the screen in any format you like.

Depending on how you use it, you can find its documentation in the sudo plug-in man page (for C) and in the sudo Python plug-in manual. Python code examples can be found in the sudo source code, and there is also a simplified example on my blog.

Approval plug-in API

The approval plug-in API can add additional restrictions before the command is executed. These restrictions will not run until the policy plug-in is successful, so you can effectively add additional policy layers without changing the policy plug-in, thus eliminating the need to change the sudoers. Multiple approval plug-ins can be defined, and all plug-ins must be successful before the command can be executed.

Like the audit plug-in API, you can use it from C # and Python. The sample Python code documented on my blog is a good introduction to this API. Once you understand how it works, you can extend it to connect sudo to the work order system and approve only sessions with relevant open work orders. You can also connect to the human resources database so that only the engineer on duty can get administrative privileges.

Python support for plug-ins

Although I'm not a programmer, my favorite new feature in sudo 1.9 is Python's support for plug-ins. You can use Python or call most API in C language. Fortunately, sudo is insensitive to performance, so relatively slow Python code is not a problem for sudo. There are many advantages to using Python to extend sudo:

Simpler and faster development

No compilation is required; you can even distribute code through configuration management

Many API do not have a ready-made C client, but do have Python code

In addition to the audit and approval plug-in API, there are other API that you can use to do some very interesting things.

You can replace the sudo policy engine by using the policy plug-in API. Please note that you will lose most of the sudo functionality and there is no sudoers-based configuration. This is useful in niche situations, but most of the time, it's best to keep using sudoers and use the approval plug-in API to create additional policies. If you want to give it a try, my Python plugin introduction provides a very simple strategy: only id commands are allowed. Make sure you know the root password again, because once this policy is enabled, it will prevent any actual use of sudo.

You can access the input and output of the user's session using the Igamot O log API. This means that you can analyze what happened in the conversation and even terminate the session if you find something suspicious. This API has many possible uses, such as preventing data leakage. You can monitor the keywords on the screen, and if any keywords appear in the data flow, you can disconnect before the keywords appear on the user's screen. Another possibility is to check what the user is entering and use the data to rebuild the command line that the user is entering. For example, if the user enters rm-fr /, you can disconnect the user before pressing enter.

The group plug-in API allows lookups for non-Unix groups. To some extent, this is similar to the approval plug-in API, because it also extends the policy plug-in. You can check whether a user belongs to a given group and take action based on that later in the configuration section.

Chroot and CWD support

The latest features of sudo are support for chroot and changing the working directory (CWD), neither of which is enabled by default, you need to explicitly enable them in the sudoers file. When they are enabled, you can adjust the target directory or allow the user to specify which directory to use. The log reflects when these settings are used.

On most systems, chroot is only available to root users. If one of your users needs chroot, you need to give them root permission, which is much greater than just giving them chroot permission. In addition, you can allow access to chroot commands through sudo, but it still allows vulnerabilities, and they can get full privileges. When you use sudo's built-in chroot support, you can easily restrict access to a single directory. You can also give users the flexibility to specify the root directory. Of course, this can lead to disaster (for example, sudo-- chroot /-s), but at least events will be recorded.

When you run a command through sudo, it sets the working directory to the current directory. This is expected behavior, but there may be cases where the command needs to be run in a different directory. For example, I remember using an application that checked my permissions by checking whether my working directory was / root.

This is the end of this article on "what are the new sudo functions in linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.