What you did NOT know about sudo…

 I am Péter Czanik an engineer working as open source evangelist at One Identity, the company that develops syslog-ng. I assist Linux distributions and FreeBSD to maintain the syslog-ng package, follow bug trackers, help users and talk regularly about sudo and syslog-ng at conferences (SCALE, All Things Open, FOSDEM, LOADays, and others). In my limited free time I am interested in non-x86 architectures, and work on one of my PPC or ARM machines.

Six years ago Balabit, the company I worked for, was acquired by One Identity. Soon after that I learned, that Todd Miller, maintainer of sudo became my colleague through the acquisition. Up until that I did not know much about sudo, just that it is a prefix on the command line when I want to run a command as administrator. Suddenly I wanted to know more about sudo, and I was quite surprised when I learned how many things you can do with sudo. Here I would like to showcase just a few of them.

Some lesser known sudo features

One of the first surprises I had that sudo can do session recordings. Why is it important? When you give access to simple utilities, you can be sure that the administrator does not do anything unexpected. However, if you need to give shell access or text editor access, you only see that it was started, but not what happened inside. With session recording you can see everything what happened inside a shell session.

Recent versions of sudo can also collect these recordings centrally. Why is it important? If you give your users shell access with administrator rights, they can also delete the recordings. Not, if the recording is saved to a remote machine. It is also convenience: one host to check for all the recordings instead of logging on to each host separately.

You can extend sudo using plugins. There are a number of open source and commercial plugins available. This is also how One Identity extends sudo with commercial features.

Developing plugins in the C programming language can prove to be difficult. This is why Python support was added to sudo. You can use the same APIs from Python as the C-based plugins. However, you do not need a dedicated development environment and distributing the plugins is also a lot easier.

I already mentioned that giving shell access to users can be problematic. Practically they receive full access to your host. Session recording is one way to monitor these users. Recent versions of sudo can log and even intercept sub-commands. Of course you cannot monitor built-in shell commands this way, but you can log and even deny access to any sub-commands. Monitoring logs can be automated and this way you need to check logs only if there is something suspicious in the logs.

Work with us

While the primary focus of One Identity sudo developers is to develop commercial software on top of sudo, some of the features I mentioned earlier were developed in part in our Veszprém office. Most of our developers in our Budapest and Veszprém offices work with open source tools and when they run into a problem they fix it and contribute the fix to the open source project. Do you use sudo? Do you like open source? Would you like to work with sudo developers? Come to work at One Identity!

Anonymous
Related Content